LDAP + Kerberos = Bloody Nightmare!
I'm setting up an authentication system backended by OpenLDAP and
Kerberos, and want to stick with as much in the way of Debian-packaged
software as possible. Getting LDAP and Kerberos to work hasn't been
difficult, but getting LDAP to authenticate against Kerberos has proven
to be all but impossible. Any takers?
More details:
I've found a wealth of documentation on the 'net about various ways to
use LDAP for authentication, but very little on getting LDAP to allow
simple authentication with password checking against Kerberos. I can
build OpenLDAP with the '--enable-kpasswd' option, but according to
almost everything else I come across, this is going bye-bye soon, and I
should be using SASL.
Kerberos is functional; kinit works as expected, I can use it for
authentication via pam-krb5 and so on.
LDAP is functional. I can bind to a DN protected by crypted passwords,
bind anonymously, bind via TLS and SSL, execute queries, and so on.
SASL seems to work as well; testsaslauthd gives appropriate results when
given a username and password.
In LDAP, the 'userPassword' field for a user named 'test' has been set
to '{SASL}test@REALM', yet when I attempt a simple-auth bind to the LDAP
server, it never seems to actually try and verify this against the KDC,
although I've set options in the slapd.conf file for SASL, telling it
all that it needs to know about Kerberos.
Three days of this, and I'm going nuts! So, any takers? Anyone else
out there set up an LDAP directory that can be authenticated against
with simple authentication, but a Kerberos password backend, but without
using 'userPassword: {KERBEROS}'?
Any help is extremely appreciated, and I would be more than happy to
furnish further details, configuration files, and so on.
Thanks in advance!
--
Don Werve (Unix Sys Admin) | Email: donw AT agentsix DOT net
"Whatever you think you can do or believe you can do, begin it. Action
has magic, grace and power in it." -- Goethe
Reply to: