Projects/LDAP SASL support
This project adds support for SASL authentication to the LDAP KDB module, based on contributions from Zoran Pericic.
The LDAP Kerberos database module currently supports only simple binding using a DN and password. The configuration inputs are:
- The profile variables "ldap_kdc_dn", "ldap_kadmin_dn", and "ldap_service_password_file".
- The DB parameters "binddn" and "bindpwd".
ldap_kdc_dn is used as the DN for the KDC, and ldap_kadmin_dn for everything else. ldap_service_password_file references a file containing a hex-encoded password for each DN in a simple format.
The following profile variables and database options will be added:
- "ldap_kdc_sasl_mech" and "ldap_kadmind_sasl_mech" profile variables, "sasl_mech" DB parameter
- "ldap_kdc_sasl_authcid" and "ldap_kadmind_sasl_authcid" profile variables, "sasl_authcid" DB parameter
- "ldap_kdc_sasl_authzid" and "ldap_kadmind_sasl_authzid" profile variables, "sasl_authzid" DB parameter
- "ldap_kdc_sasl_realm" and "ldap_kadmind_sasl_realm" profile variables, "sasl_realm" DB parameter
If a SASL mechanism is set, the bind DN will be ignored and a SASL interactive bind will be performed instead. Setting the authzid is only necessary for proxy authentication, which isn't a common case. For mechanisms which require a SASL secret, it will be read from the service password file, with the authentication name (authcid) as the key.
The most commonly used mechanism will likely be EXTERNAL, which does not require an authcid, realm, or secret.
If the <sasl/sasl.h> header file is not present for the build, interactive SASL mechanisms will not work (because we cannot define the interaction function), but non-interactive mechanisms such as EXTERNAL and GSSAPI will still work.
t_kdb.py will be extended to test EXTERNAL and DIGEST-MD5 authentication.
Mailing list discussions
- Add support to the LDAP KDB module for binding to the LDAP server using SASL.