[Date Prev][Date Next] [Chronological] [Thread] [Top]

HEADS-UP: Kerberos changes

I've added optional (--enable-kpasswd) support for KERBEROS password
scheme, ie:
	userPassword: {KERBEROS}principal

The prinicipal form depends upon the availability of Kerberos
V vs IV.  Currently, though configure likely can detect MIT
Kerberos V, lutil/passwd.c can implements checking using the
Heimdal Kerberos V implementation.  Someone familiar with
MIT Kerberos V should extend lutil/passwd.c as needed.

I've also included an implementation for eBones Kerberos IV.
I've only checked that this implementation compiles as I
don't actually have a Kerberos IV KDC to test against.

The reason for this heads up is that configure --with-kerberos
is now used to provide hints as to which Kerberos to use and
--disable-kbind and --enable-kpasswd are used to disable/enable
specific Kerberos options.  --disable-kbind disables the
LDAPv2 Kerberos bind mechanisms.

Again, as I don't have a Kerberos IV KDC to test against,
it's more than likely the that configure changes and the
kbind/kpasswd implementations may be broken.  Those who
use kbind are encouraged to test.


Note: the {KERBEROS} passwd scheme is disabled by default.
SASL/GSSAPI is the recommended mechanism for authenticating
in Kerberos V environments.