[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 Released

To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP 2.1 Released
From: Turbo Fredriksson <turbo@bayour.com>
Date: 14 Jun 2002 08:41:49 +0200
In-reply-to: <NMEFLNHODBAOPDKNNJALCELDDAAA.hyc@highlandsun.com>
Organization: LDAP/Kerberos expert wannabe
References: <NMEFLNHODBAOPDKNNJALCELDDAAA.hyc@highlandsun.com>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:

    ThierryW> in-directory secret storage seems to be simple
    ThierryW> like you said.. but which syntax for userpassword and who
    ThierryW> generate password (cause by default saslpassword write to
    ThierryW> sasldb..) ?

    Howard> As Tim already mentioned, you do all password management
    Howard> using only LDAP tools. The syntax for the userPassword
    Howard> attribute is an arbitrary cleartext string. You just use
    Howard> ldapmodify to set it, and you don't use the saslpasswd
    Howard> command any more since you don't use sasldb any more.

And if one uses Kerberos V? My 'userPassword' attribute is currently
of the form '{KERBEROS}USERPRINCIPAL' and I don't change password in
LDAP, but in Kerberos. Which means that i have to add/delete a user in
TWO places (really three, I'm using OpenAFS as well).

The 'only' reason when I started with LDAP a couple of years ago, was
so that I could have all in one place. This was with OpenLDAP 1.x (using
'userPassword={CRYPT}PASSWORD'. By needing/wanting secure replication,
I started to use Kerberos and keytabs.

Follow-Ups:
- RE: OpenLDAP 2.1 Released
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- RE: OpenLDAP 2.1 Released
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: unknown CA
Next by Date: Re: OpenLDAP 2.1 Released
Index(es):
- Chronological
- Thread