[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and DIGEST-MD5

Jose González Gómez wrote:
A question about something I didn't notice before... Is this synchronization really needed? You seem to imply that the password information stored in the KDC and in LDAP may differ and they need to be synchronized. But if Kerberos *uses* LDAP to store the password, doesn't the password gets changed once you change it in LDAP? What am I missing here?

This point rises another question... if Heimdal is able to store its passwords in LDAP, does that mean that changing a password using kpasswd would change it in LDAP? That would solve this whole issue as long as you are able to store them in clear text and make the LDAP/Kerberos synchronization unneeded if you force to change passwords using Kerberos (possible with LDAP ACLs). Am I right?

The KDC does not store passwords in cleartext. Nor does it store them in the userPassword attribute. So yes, a synchronization mechanism is necessary.

Maybe you could stack the login modules so after successful login using pam_ldap, pam_krb5 connects to the KDC and gets the ticket... would this be possible?

Yes, that's how PAM works. Any further questions along these lines should be taken to a PAM discussion forum.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support