-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Im attempting to use Kerberos as a password storage backend in my ldap server.
I have the server setup with its own principal of the form ldap/domainname@REALM , and this keytab is in the KRB5_KTNAME environment variable as slapd starts.
I have put olcSaslRealm=REALM and olcSaslHost=kdc.domain into my cn=config.
Then, i have uid=user, where the userPassword attribute is {KERBEROS}user@REALM
When attempting to bind to this user, it seems to fail. When i reset the password to a standard SSHA hash, it authenticates correctly. I can authenticate with kerberos to the host that the ldap enabled client, but i just cannot use ldap with the kerberos password backend.
Any help in solving what else i need to do in this would be greatly appreciated
William Brown
pgp.mit.edu
Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Im attempting to use Kerberos as a password storage backend in my ldap server.
I have the server setup with its own principal of the form ldap/domainname@REALM , and this keytab is in the KRB5_KTNAME environment variable as slapd starts.
I have put olcSaslRealm=REALM and olcSaslHost=kdc.domain into my cn=config.
Then, i have uid=user, where the userPassword attribute is {KERBEROS}user@REALM
Who told you to do that? There is no such password scheme in any OpenLDAP documentation.
When attempting to bind to this user, it seems to fail. When i reset the password to a standard SSHA hash, it authenticates correctly. I can authenticate with kerberos to the host that the ldap enabled client, but i just cannot use ldap with the kerberos password backend.
Any help in solving what else i need to do in this would be greatly appreciated
William Brown
pgp.mit.edu
2010-08-04 10:30 keltezéssel, Howard Chu írta:
Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Im attempting to use Kerberos as a password storage backend in my ldap server.
I have the server setup with its own principal of the form ldap/domainname@REALM , and this keytab is in the KRB5_KTNAME environment variable as slapd starts.
I have put olcSaslRealm=REALM and olcSaslHost=kdc.domain into my cn=config.
Then, i have uid=user, where the userPassword attribute is {KERBEROS}user@REALM
Who told you to do that? There is no such password scheme in any OpenLDAP documentation.
When attempting to bind to this user, it seems to fail. When i reset the password to a standard SSHA hash, it authenticates correctly. I can authenticate with kerberos to the host that the ldap enabled client, but i just cannot use ldap with the kerberos password backend.
Any help in solving what else i need to do in this would be greatly appreciated
William Brown
pgp.mit.edu
What about: setting up saslauthd to authenticate against kerberos (e.g. command line options -a kerberos5 -c -m /var/run/saslauthd) and then slapd to use that (e.g. in /etc/ldap/sasl2/slapd.conf something like: pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux ), then specify the userPassword attribute as {SASL}user@REALM ?
Cheers
Geza Gemes
openldap-technical@openldap.org
-
Gémes Géza -
Howard Chu -
Indexer