Hi,
The user db on my system is stored in LDAP and integrated with PAM and NSS. The LDAP db also contain address book data for each user. I would like to be able to call ldap utilities (e.g. ldapsearch) without having the user to enter his/her password everytime. I would also like for scripts running as those users to have access to the respective LDAP entries. I noticed ldapsearch supports SASL binds, so I was wondering if that could be used in conjunction with Kerberos to accomplish my goal (from what I understand, the kinit command would have to be called before ldapsearch). Is there any other way to do this?
Thanks, Jean-Luc
--On Tuesday, February 07, 2012 6:22 PM -0500 Jean-Luc Wasmer openldap@2012.jl.wasmer.ca wrote:
Hi,
The user db on my system is stored in LDAP and integrated with PAM and NSS. The LDAP db also contain address book data for each user. I would like to be able to call ldap utilities (e.g. ldapsearch) without having the user to enter his/her password everytime. I would also like for scripts running as those users to have access to the respective LDAP entries. I noticed ldapsearch supports SASL binds, so I was wondering if that could be used in conjunction with Kerberos to accomplish my goal (from what I understand, the kinit command would have to be called before ldapsearch). Is there any other way to do this?
Read the admin guide.
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wednesday, 8 February 2012 01:22:33 Jean-Luc Wasmer wrote:
Hi,
The user db on my system is stored in LDAP and integrated with PAM and NSS. The LDAP db also contain address book data for each user. I would like to be able to call ldap utilities (e.g. ldapsearch) without having the user to enter his/her password everytime. I would also like for scripts running as those users to have access to the respective LDAP entries. I noticed ldapsearch supports SASL binds, so I was wondering if that could be used in conjunction with Kerberos to accomplish my goal
Yes.
(from what I understand, the kinit command would have to be called before ldapsearch).
You would need to have a TGT. In a Kerberos environment, you should normally have things in place to ensure this (e.g. pam_krb5 for auth and session would accomplish getting an initial TGT on a login session).
Is there any other way to do this?
There are other SASL mechs that may be of use, but also require other infrastructure or credential distribution. Kerberos/GSSAPI has other advantages as well, due to wide support/adoption.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Jean-Luc Wasmer -
Quanah Gibson-Mount