[Date Prev][Date Next] [Chronological] [Thread] [Top]

Kerberos with LDAP backend: password sync


We've been using OpenLDAP for all major services (mainly mail, Shibboleth, web service authentication etc.) based on authentication over the standard userPassword attribute (and uid as the username) of the person objectClass.

Now, for particular authentication needs (because particular applications - like SQUID - do not support the standard PLAIN auth over TLS/SSL which we usually use), we consider installing Kerberos using our LDAP server as backend.

Such a setup is meant to continue to allow the standard PLAIN auth over TLS/SSL (directly by LDAP) in some applications and provide Kerberos authentication in others, based on the same user/password database (stored and maintained in LDAP). [I know that in many environments, userPassword and krbPrincipalKey are deliberately different.]

Generally, the Kerberos installation and user administration process involves creating Principals (krbPrincipalName) and Principal Keys (krbPrincipalKey).

My question:

Is there a way to automatically populate (either internally, via LDAP configuration, or externally, by running - for example - an external script) the values of krbPrincipalName and krbPrincipalKey attributes, so that these values can be produced by the values of the currently used attributes (uid, userPassword, including possibly others.)? This would allow initial creation of values for the above attributes using the same password value.

Here: https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html I have found a quite descriptive tutorial, which, unfortunately, does not cover the above issues.

Any feedback and system design advice will be appreciated.

Thanks in advance,