[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MIT Kerberos v5 and OpenLDAP

--On Monday, February 02, 2004 3:38 PM +0000 Jorge Ruão <jruao@fe.up.pt> wrote:

Hi all,

I'm currently implementing a system with MIT Kerberos V5, SASL, OpenSSL
and off-course OpenLDAP.

My big question is: to use MIT Kerberos V5 as an authentication
mechanism, all user passwords must be stored in the KDC database. What
can be done if I need to get a user password via LDAP?

I'm also looking for the schema: "krb5-kdc.schema" where can this be

krb5-kdc.schema can be obtained by doing a CVS checkout of HEAD.

As far as MIT Kerberos V5 on the server side, I don't suggest it -- It has many serious threading issues. If you want your server to be solid, reliable, and fast, use Heimdal Kerberos for the server. Clients can still use MIT Kerberos.

We store all of our passwords in our MIT K5 KDC, and obtain passwd file entry information from LDAP (so their password is not stored in LDAP at all, and we don't query the LDAP servers for it). If you use Heimdal, you can set up a KDC in the OpenLDAP servers themselves.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html