[29324] in Kerberos
Re: Help with SASL/GSSAPI to remote Kerberos server
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Feb 20 10:07:24 2008
Message-ID: <47BC41B7.60906@anl.gov>
Date: Wed, 20 Feb 2008 09:05:27 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Wes Modes <wmodes@ucsc.edu>
In-Reply-To: <47BB7922.3030203@ucsc.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Wes Modes wrote:
> Reason for this is that eventually, our campus kerberos
> service will be replaced with a secure LDAP auth.
OH! Are you sure this is a good idea? (This is the Kerberos list)
Are you looking at Samba or AD as the LDAP server? If so they both
have Kerberos (Samba 4 does at least) So you may want to look
a little further down the road before dropping Kerberos.
>
> But it remains an open question for me whether it is possible to have
> Samba/smbldap-tools ask LDAP/GSSAPI which indirectly asks Kerberos for
> authentication.
As Jeff pointed out, not with GSSAPI. What you might be looking for
is slapd code to take a username and password and do in effect a kinit
and a verify tgt, or have a sasl plugin do it for your. I don't know
of one.
You might want to ask on a sasl list, or OpenLDAP list. You will
not get much help on a Kerberos list, as the intent of Kerberos is
to never send the password over the network.
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
