[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where is info about {KERBEROS} ?

>>>my real question is:
>>>the {KERBEROS}-"tag" tells
>>>LDAP to use the "service/daemon" of Kerberos
>>>to put infomation into the KERBEROS database
>>>or to get it out of it.
>>I do not think there is any way for LDAP to "write to" the Kerberos
> No problem, this  just means a little has to do this ..
>>Changing of the Kerberos password (credential) is
>>accomplished via Kerberos tools, such as pam_krb5 or kpasswd.  LDAP
>>simply 'reads' Kerberos via Cyrus-SASL-GSSAPI.
>Okidoki, the point is, "do i get back exactly what i put
>(for example : i put "pazzword" as pw for a
>principal@REALM into KERBEROS.
>If a client does a read on the {KERBEROS}principal@REALM -
>field  through LDAP, does he get back "pazzword" ?

No.  If a user requests the value of userpassword (and is permitted by
ACL to do so) they will receive "{KERBEROS}blah@blahblah.blah".  As that
is the value of userpassword.  It might be base64 encoded.

If a user performs an auth operaton OpenLDAP will use GSSAPI and return
success or failure.

This is simply no way of getting the password back, and to be blunt, you
don't want there to by any way to do that.