directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quanah Gibson-Mount <qua...@stanford.edu>
Subject Re: [Kerberos] Kerberos + OpenLDAP
Date Wed, 28 Feb 2007 21:21:13 GMT


--On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez 
<enriquer9@gmail.com> wrote:

> On 2/27/07, Mark Wilcox <mark.wilcox@gmail.com> wrote:
>> I have a quick question. Did you use the example Kerberos entries that
>> come with ApacheDS or are there example entries posted elsewhere?
>>
>> I didn't see them on the Wiki docs.
>
> No, I haven't posted them yet.  This is pretty alpha, which is why I
> put them in the sandbox.  I'm not sure which example Kerberos entries
> you're referring to, but IIRC the example we ship has entries for
> similar services, like krbtgt, changepw, and ssh.  Below is a quick
> entry for an LDAP server.  You need an LDAP service principal, krbtgt
> entry, and at least one user principal to make this work.  The key
> thing is the format of the LDAP service principal name:
>
> Use 'ldap' for LDAP:
> krb5PrincipalName: ldap/www.example.com@EXAMPLE.COM

Although this is the attribute I use for my OpenLDAP directories, I will 
note that this attribute is not the part of any RFC standard.  In fact, 
there is no RFC standardized way of storing Kerberos principals in a 
directory that I'm aware of.  I raised this issue to MIT and Heimdal once, 
and apparently they are "working" on something.  But that was several years 
ago.  I certainly would ensure that this not be a hard-coded method of 
making SASL/GSSAPI work.  The sasl-regexp bits from OpenLDAP are pretty 
handy in this area, you may wish to review them if you haven't yet.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Mime
View raw message