[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mapping userPassword to Kerberos 5

Quoting "Howard Chu" <hyc@highlandsun.com>:

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Stephen Frost
> > I'd love to get some feedback from people on this, perhaps there are
> > other cases where authentication through LDAP to Kerberos makes some
> > sense.  Or perhaps there are other problems with pam_krb5 I've not run
> > into.  If there's enough demand for the Debian packages to be compiled
> > with --enable-kpasswd we may be willing to do this in the future.
> As I've posted before - for the reasons you outline, we strongly discourage
> people from using this kpasswd stuff. Likewise for pam_krb5; any mechanism
> that lets you send a Kerberos password across a network completely defeats
> whatever security Kerberos had to offer.

I solely agree, but in (most?) cases there's no other option. You _have_ to
allow simple bind (broken software and what not - I have no choise in my
phpQLAdmin, since there is no Kerberos API support in PHP) and if it's to
anquard to have TWO passwords (one for kerberos, one for simple binds), then
{KERBEROS} is a resonable compromise. Don't like it either, but...