David Boreham wrote:
alex@xxxxxxxxxxxxxxx wrote:I don't have Fedora Directory Server installed (yet). However, there's one feature from OpenLDAP that is must-have before even attempting to play withFDS. In OpenLDAP, if I use string like "{SASL}username@REALM" as a value for userPassword attribute, and have "pwcheck_method: saslauthd" in/usr/lib/sasl2/slapd.conf, then OpenLDAP will use saslauthd to authenticate the user (passing it "username@REALM" and whatever password user supplied). I'veread that FDS supports SASL, but does it support this feautre too?Nope. Is this a currently supported OpenLDAP feature ? I ask because I vaguely remember some feature like this being dropped on the basis that it was a stop-gap until real SASL support was implemented. But I may well be thinking of some similar but different feature. FDS does support SASL but I think you'd need to do some extra work to get it to work with the saslauthd plugin. GSSAPI and EXTERNAL are the only two 'officially' supported SASL mechanisms.
What problem are you trying to solve? Are you trying to authenticate apps that cannot use LDAP SASL and must use LDAP Simple BIND, and use your Kerberos password? Fedora DS has a pam_passthru plugin that might help you with that. You can tell FDS to use PAM to authenticate the user, and you can configure PAM to authenticate against Kerberos.
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
