RE: OpenLDAP 2.1 Released

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson
> >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
>     Howard> As Tim already mentioned, you do all password management
>     Howard> using only LDAP tools. The syntax for the userPassword
>     Howard> attribute is an arbitrary cleartext string. You just use
>     Howard> ldapmodify to set it, and you don't use the saslpasswd
>     Howard> command any more since you don't use sasldb any more.
>
> And if one uses Kerberos V? My 'userPassword' attribute is currently
> of the form '{KERBEROS}USERPRINCIPAL' and I don't change password in
> LDAP, but in Kerberos.

That is an ugly, insecure, slow-performing hack. If you have Kerberos V then
you should be using SASL/GSSAPI to login to LDAP, and completely ignoring
the userPassword attribute.

> Which means that i have to add/delete a user in
> TWO places (really three, I'm using OpenAFS as well).

> The 'only' reason when I started with LDAP a couple of years ago, was
> so that I could have all in one place. This was with OpenLDAP 1.x (using
> 'userPassword={CRYPT}PASSWORD'. By needing/wanting secure replication,
> I started to use Kerberos and keytabs.

You can have everything in one place. Use the Heimdal KDC with its LDAP
database backend. It works pretty well. It's been at least 5 years since
I've worked with AFS but I know you can shoehorn in a KDC of your choosing
into there as well. Then all of your LDAP, Kerberos, and AFS users will
reside in only one place.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support