AW: Re: AW: Re: SASL bind with Kerberos: (was: Simple binds with SASL/GSSAPI (Resource temporarily unavailable))
Hi Quanah,
thanks again for your answer.
Did you make sure the GSSAPI module was installed with Cyrus-SASL? IIRC, it's a separate package under Ubuntu.
p libgssapi2-heimdal
- Heimdal Kerberos - GSSAPI support library
p libsasl2-modules-gssapi-heimdal
- Pluggable Authentication Modules for SASL (GSSAPI)
p libsasl2-modules-gssapi-mit
- Cyrus SASL - pluggable authentication modules (GSSAPI)
ii libsasl2-modules-gssapi-mit 2.1.22.dfsg1-18ubuntu2 \ Cyrus SASL - pluggable authentication module
(b) saslauthd and SASL/GSSAPI are unrelated. I.e., you don't need to be running saslauthd for SASL/GSSAPI to work. Now I'm confused. I always understood the way to use Kerberos authentication for accessing the ldap directory to be:
LDAP->SASL->Kerberos
and that I have to fill the SASL part with something real, like saslauthd. What did I miss here?
SASL/GSSAPI uses the existing Kerberos ticket to auth a user to LDAP
When using saslauthd, you do a simple bind to the LDAP server, which then connects to the KDC, gets a ticket, and auths the user.
Two very different things. I.e., the first, the user already has authed to the KDC. In the second, they haven't.
I see the difference, but still have some questions:
- In the first approach, the user already has a TGT and asks the KDC for a "ldap/fqdn@REALM-ticket"? This is done by ldapsearch, not by slapd? Hence, slapd "only" needs access to its keytab to be able to decrypt the clients messages?
- And in the second one, the user provides username and password (plain), slapd converts the username into a principle (user@REALM) and forwards this to saslauthd? So this should be secured via TLS?
I'm just looking for a setup that restricts access to LDAP to authenticated users (except, of course, information neccessary for authentication purposes). I need to use Kerberos for authentication, because I want to use NFSv4.
There used to be a well-known howto for all this at http://www.bayour.com/LDAPv3-HOWTO.html but the site is offline for some days now.
Thanks again for your help,
Hauke
--
openldap-technical@openldap.org
-
Hauke Coltzau