Re: OpenLDAP 2.1 Released

[Turbo Fredriksson <turbo@bayour.com>]

>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:

    Turbo>  And if one uses Kerberos V? My 'userPassword' attribute is
    Turbo> currently of the form '{KERBEROS}USERPRINCIPAL' and I don't
    Turbo> change password in LDAP, but in Kerberos.

    Howard> That is an ugly, insecure, slow-performing hack. If you
    Howard> have Kerberos V then you should be using SASL/GSSAPI to
    Howard> login to LDAP, and completely ignoring the userPassword
    Howard> attribute.

I thought you HAD to use that to be able to use Kerberos V...

Oki, tested with my test user, it works with '*' in userPassword. One
question that comes up though, is WHY (ie, WHO) is this used in the 
first place?

    Turbo> Which means that i have to add/delete a user in TWO places
    Turbo> (really three, I'm using OpenAFS as well).

    Turbo> The 'only' reason when I started with LDAP a couple of years
    Turbo> ago, was so that I could have all in one place. This was with
    Turbo> OpenLDAP 1.x (using 'userPassword={CRYPT}PASSWORD'. By
    Turbo> needing/wanting secure replication, I started to use Kerberos
    Turbo> and keytabs.

    Howard> You can have everything in one place. Use the Heimdal KDC
    Howard> with its LDAP database backend.

WAY to late for that... All I can hope for is to have the MIT people
doing something similar...

    Howard> It works pretty well. It's
    Howard> been at least 5 years since I've worked with AFS but I
    Howard> know you can shoehorn in a KDC of your choosing into there
    Howard> as well. Then all of your LDAP, Kerberos, and AFS users
    Howard> will reside in only one place.

Unfortunately it seems that I had to add the user to PTS database in
OpenAFS. No way around that from what I can tell from the OpenAFS
list (and no change in site).