Wouter van Marle <[email protected]> writes: > Hi group, > > I have been fighting the whole day already for something that I think > is quite simple but I just can't get it to work: have slapd > authenticate users against kerberos. Following many tutorials, trying > many things, I give up on that and ask for your help. > > System: Debian Lenny. > > Situation: > - workstation logins over the network authenticate against kerberos > - credentials from LDAP > - postfix has its alias database etc in LDAP, as are the groups and > userIDs and everything - helps keeping uids the same on the > workstations. Essential for NFS. > - anything using pam will be authenticated against kerberos, including > imap, postfix, etc. > > Except LDAP. Then slapd authenticates by itself against the password > stored there. And that's not what I want. There should be no passwords > in LDAP any more, everything against kerberos. Then at least when a > user changes their kerberos password, the same password is used > everywhere. I just can't get this to work for some reason. I have > followed many tutorials, so many that I forgot what I did, and it > still doesn't work. > > Slapd should use pam to authenticate, or directly talk to the kerberos > server, whatever. > > saslauthd has the gssapi module installed.
[...] Why did you design such a complicated setup? postfix supports sasl mechanism GSSAPI, openldap supports sasl mechanism GSSAPI, cyrus-imap supports sasl mechanism GSSAPI, ssh supports GSSAPI, pam login should use unix2 which supports GSSAPI. saslauthd is not required, nor is a userpassword attribute value required in DIT. Just setup a proper kerberos V5 environment, create service principals, host pricipals and user principals, and configure clients to use either native krb5 implementation or GSSAPI mechanism. -Dieter -- Dieter Klünter | Systemberatung sip: [email protected] http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
