Re: [Fedora-directory-users] support for non-localy stored passwords?

[Rich Megginson <rmeggins redhat com>]

David Boreham wrote:

> alex milivojevic org wrote:
>
> > I don't have Fedora Directory Server installed (yet).  However, 
> > there's one
> > feature from OpenLDAP that is must-have before even attempting to 
> > play with
> > FDS.
> >
> > In OpenLDAP, if I use string like "{SASL}username REALM" as a value for
> > userPassword attribute, and have "pwcheck_method: saslauthd" in
> > /usr/lib/sasl2/slapd.conf, then OpenLDAP will use saslauthd to 
> > authenticate the
> > user (passing it "username REALM" and whatever password user 
> > supplied).  I've
> > read that FDS supports SASL, but does it support this feautre too?
> >  
> Nope.
>
> Is this a currently supported OpenLDAP feature ?
> I ask because I vaguely remember some feature like
> this being dropped on the basis that it was a stop-gap
> until real SASL support was implemented. But I may
> well be thinking of some similar but different feature.
>
> FDS does support SASL but I think you'd need to
> do some extra work to get it to work with the saslauthd
> plugin. GSSAPI and EXTERNAL are the only two
> 'officially' supported SASL mechanisms.

What problem are you trying to solve?  Are you trying to authenticate 
apps that cannot use LDAP SASL and must use LDAP Simple BIND, and use 
your Kerberos password?  Fedora DS has a pam_passthru plugin that might 
help you with that.  You can tell FDS to use PAM to authenticate the 
user, and you can configure PAM to authenticate against Kerberos.

> --
> Fedora-directory-users mailing list
> Fedora-directory-users redhat com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature