[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3 a nightmare

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: LDAPv3 a nightmare
From: Eric G Ortego <eric@tonychachere.com>
Date: Thu, 26 Feb 2004 11:18:49 -0600
In-reply-to: <005a01c3fc83$493289b0$0e01a8c0@CELLO>
References: <005a01c3fc83$493289b0$0e01a8c0@CELLO>
User-agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.6) Gecko/20040224

Howard Chu wrote:

Yes, only one password repository is needed.


That is definatly what I wanted to hear.

In fact only one database is needed;


good too.

you can configure Heimdal Kerberos to store its information in LDAP, piggybacked onto the usual user information.

I have been trying with mit-krb5, is there configuration examples in the Heimdal src on how I might do this.

Personally I think this is the best way to go because it means you only have one database to administer when you're doing user management tasks.


Got me convinced.

You can even set things up such that all of the possible authentication methods are all valid, and all using the same userPassword in LDAP (although I'm not sure why you would; certainly you wouldn't want to give plaintext access to the same key that's used for your Kerberos and other strong authentication mechanisms).

Plaintext access as in binding? So the kerberos key or the principal password would be in the userPassword field? Kerberos keys are usualy stored in the keytab data file right? So with Heimdal principals, keys, and passwords [are|can be] put in LDAP?

Follow-Ups:
- Re: LDAPv3 a nightmare
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- RE: LDAPv3 a nightmare
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Logging add/delete/modify transactions
Next by Date: Re: Logging add/delete/modify transactions
Index(es):
- Chronological
- Thread