[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and kerberos integration

BTW I'd appreciate any recommandations about providing kerberos and
LDAP authentication (with the same password) in a production setting.
Should I use Heimdal or MIT kerberos ?
If Heimdal, is it better to use OpenLDAP as a backend for Kerberos or
let Kerberos use its native backend?
If OpenLDAP as a backend, is it better to use {K5KEY} as the
userPassword or let smbk5pwd synchronize everything?

Read the smbk5pwd README.
I'v read it. Your answer seems to imply that I should use Heimdal and
then OpenLDAP as it's backend.
Am I right?

It's more than just implied. The README says the code was written for Heimdal. If you want to use smbk5pwd at all, then you must use Heimdal.
Sorry my question was not very clear.
I wan't LDAP Simple Binds and Kerberos with the same password.
I find smbk5pwd and OpenLDAP as a Heimdal backend very appealing
but maybe there are good reasons to use another Kerberos implementation
and/or store passwords in the Kerberos native backend (adding e.g. SASL in the mix
to make LDAP Simple Binds use pass-through authentication), obviously
ruling out smbk5pwd.

Do you recommend using {K5KEY} as the userPassword?

If you want LDAP Simple Binds to use the same password as Kerberos, then yes. If not, then no.
AFAICS with smbk5pwd I have two ways to have LDAP Simple Binds and Kerberos with the same password.
1) force use of ldappasswd to make smbk5pwd synchronize all passwords;
2) assign {K5KEY} to the userPassword and use kpasswd to change a password.

If I understood correctly, the second method makes the passwords identical by construction while the first allow passwords to desynchronize if changed without ldappasswd.

Best regards,