RE: ldap in heterogenous environment

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jerome Walter

> On Sat, Apr 19, 2003 at 06:23:33PM -0600, David Smith wrote:
> > I can confirm that those rumors are true. We are doing just that
> > (including Kerberos) at my place of employment. There is one caveat:
> > your NT passwords must be stored as hashes in LDAP rather than in
> > Kerberos. The Samba PDC authenticates to those rather than
> to kerberos
> > in our setup.
>
> Isn't it possible to use Kerberos for the authentication and
> LDAP for storing
> user data (account, uid ...) ?
> This being done, the password should not be windows hashes
> but kerberos
> crypted (i think this is des/md5). But storing passwords in
> LDAP in not as
> secure as storing it in Kerberos database, as LDAP as not
> been thought as an
> authenticator and is designed for public data.
>
> This have been discussed here befre, i think, or perhaps it
> was on Kerberos
> Mailing Lists.

This has been discussed here before. The solution that we recommend is to use
Heimdal with PADL's hdb-ldap backend and Symas' patches. (Not all of the
patches were present in Heimdal 0.5.2 so it seems you still have to apply
some by hand.) This approach gives the tightest integration, putting the
Kerberos user database in LDAP itself.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support