[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd, SASL passthrough and changing passwords smashing userPassword

Hi folks,

I hope this is a quick and easy one :)
I have slapd 2.4.23 working with passthrough to MIT kerberos via saslauthd. I use smbkrb5pwd (a hack on smbk5pwd) to pass password changes through to kerberos (creating or modifying the target principle as required)
To enable a particular user to bind to slapd with their kerberos password, I'm setting: 

userPassword: {SASL}myuid@MY.KERBEROS.REALM.EXAMPLE.COM

This works *very nicely*. Except one thing...
Using passwd via pam_ldap or ldappasswd directly smashes userPassword: and replaces the value with the password hash. Both machanisms are doing EXOP password changes.
Is there any way to stop this happening when the mechanism in userPassword is {SASL} ? 


Or maybe there is another way to enable global SASL password passthroughs?

======
I'm in a transition phase. I need to import the slapcat output from the old LDAP server to my new one. At this point, all authentication should be done with the existing userPassword hash. Password changes should update this hash and create/modify principles on the kerberos server.
3 months later, I want to switch the auth mechanism on all accounts to passthrough to kerberos, at which point, ldappasswd should still work but via smbkrb5pwd updating kerberos. 

Maybe my strategy is wrong, but that's the basic problem I need to solve.

Am I trying this the wrong way?

Cheers and thanks in advance for any ideas.

Tim

--
Tim Watts
Personal Blog: http://www.dionic.net/tim/ 

"She got her looks from her father. He's a plastic surgeon."