[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Fwd: Re: KDC {K5KEY} userPassword problem] Solved!!

Kent Nasveschuk wrote:
Although I specified in slapd.conf on the slave servers:

moduleload              /opt/openldap-2.3.39/lib/smbk5pwd.la

I omitted:

overlay smbk5pwd

I'm guessing slapd never passed credentials to KDC, hence the (49) error

The README states quite clearly that the overlay evaluates the Kerberos keys stored in the LDAP entry. It never talks to the KDC; there's no reason to since the KDC's data all resides in the LDAP entry. As I said in my first reply to you - it only works if you actually configure it.

1 more question, how does the smbk5pwd module handle a Kerberos password
that is expired? Is there a specific error code? I suppose I could
expire one then try it.

I guess you're talking about the krb5PasswordEnd attribute. The overlay does not check this at all.

2 days of wrestling with this, finally got it to work.

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/