[Date Prev][Date Next]
Re: MIT Kerberos v5 and OpenLDAP
--On Monday, February 02, 2004 3:38 PM +0000 Jorge Ruão <firstname.lastname@example.org>
I'm currently implementing a system with MIT Kerberos V5, SASL, OpenSSL
and off-course OpenLDAP.
My big question is: to use MIT Kerberos V5 as an authentication
mechanism, all user passwords must be stored in the KDC database. What
can be done if I need to get a user password via LDAP?
I'm also looking for the schema: "krb5-kdc.schema" where can this be
krb5-kdc.schema can be obtained by doing a CVS checkout of HEAD.
As far as MIT Kerberos V5 on the server side, I don't suggest it -- It has
many serious threading issues. If you want your server to be solid,
reliable, and fast, use Heimdal Kerberos for the server. Clients can still
use MIT Kerberos.
We store all of our passwords in our MIT K5 KDC, and obtain passwd file
entry information from LDAP (so their password is not stored in LDAP at
all, and we don't query the LDAP servers for it). If you use Heimdal, you
can set up a KDC in the OpenLDAP servers themselves.
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html