[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 Released

On Freitag, 14. Juni 2002 09:43, Turbo Fredriksson wrote:
> >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
>     Turbo>  And if one uses Kerberos V? My 'userPassword' attribute
> is Turbo> currently of the form '{KERBEROS}USERPRINCIPAL' and I don't
> Turbo> change password in LDAP, but in Kerberos.
>     Howard> That is an ugly, insecure, slow-performing hack. If you
>     Howard> have Kerberos V then you should be using SASL/GSSAPI to
>     Howard> login to LDAP, and completely ignoring the userPassword
>     Howard> attribute.
> I thought you HAD to use that to be able to use Kerberos V...
> Oki, tested with my test user, it works with '*' in userPassword. One
> question that comes up though, is WHY (ie, WHO) is this used in the
> first place?

The userPassword attribute is only used for simple binds. In this case, 
if it is set to {KERBEROS}PRINC, the password is sent in cleartext to 
the server (even if you use SSL or something similar, the servers will 
learn your cleartext password), and slapd uses this cleartext password 
for authentication against the KDC. Since this is a simple bind, the 
protocol itself is not aware of kerberos, and for that reason the 
server _needs_ the cleartext password. This is BTW equally bad as using 
a pam-kerberos module on the server side (for any non-kerberized 

If you use a SASL bind, the userPassword is never used, so setting it to 
{KERBEROS}PRINC does not really hurt. Except for the fact that it might 
allow users to use the (insecure) method mentioned above.

Maybe you could modify your Howto (which is btw really really useful!) 
in order to reflect these things?