[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos and DIGEST-MD5)

Jose Gonzalez Gomez wrote:

Howard Chu wrote:
One feature that using pam_ldap in addition to pam_krb5 provides is the opportunity to enforce password policy, and this is most easily manageable when both LDAP and Kerberos are using the same authentication database. That point was raised earlier in the thread but seems to have been omitted from the summary.

Otherwise you're right, there's no pressing need to go this route.

I've been able to enforce password policy just using pam_krb5/mit_krb5, and heimdal seems to be able to do it using the password_quality section in krb5.conf. I know you talked before about password policy enforcement available in CVS, but what does this provide you cannot achieve using the functionalities found in mit or heimdal?

The module I'm referring to only works for LDAP Simple Binds. If you're in a pure SASL/GSSAPI environment it's not necessary, but if you need to support legacy apps that only know how to do Simple Binds, then it's useful.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support