[Date Prev][Date Next]
Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos and DIGEST-MD5)
Howard Chu wrote:
Quanah Gibson-Mount wrote:
--On Wednesday, July 28, 2004 8:05 PM +0200 Jose Gonzalez Gomez
I hope this helps to anyone trying to setup a
It probably does for those trying to run a KDC on top of OpenLDAP.
It kind of depends on what you want to do. We run an MIT KDC, and
use GSSAPI with OpenLDAP just fine. We simply configure PAM to
authenticate to the KDC for getting passwords, rather than going
through LDAP. It works quite well. We also have SSO throughout the
One feature that using pam_ldap in addition to pam_krb5 provides is
the opportunity to enforce password policy, and this is most easily
manageable when both LDAP and Kerberos are using the same
authentication database. That point was raised earlier in the thread
but seems to have been omitted from the summary.
Otherwise you're right, there's no pressing need to go this route.
I've been able to enforce password policy just using
pam_krb5/mit_krb5, and heimdal seems to be able to do it using the
password_quality section in krb5.conf. I know you talked before about
password policy enforcement available in CVS, but what does this provide
you cannot achieve using the functionalities found in mit or heimdal?