[Date Prev][Date Next]
Re: Kerberos with LDAP backend: password sync
Dan White wrote:
On 21/07/11 00:39 +0300, Nick Milas wrote:
Such a setup is meant to continue to allow the standard PLAIN auth over
TLS/SSL (directly by LDAP) in some applications and provide Kerberos
authentication in others, based on the same user/password database (stored
and maintained in LDAP). [I know that in many environments, userPassword and
krbPrincipalKey are deliberately different.]
Is there a way to automatically populate (either internally, via LDAP
configuration, or externally, by running - for example - an external script)
the values of krbPrincipalName and krbPrincipalKey attributes, so that these
values can be produced by the values of the currently used attributes (uid,
userPassword, including possibly others.)? This would allow initial creation
of values for the above attributes using the same password value.
Note that this overlay only works when using heimdal software for the KDC
which uses a different LDAP schema.
Since the orginal poster mentioned attributes krbPrincipalName and
krbPrincipalKey he seems to use MIT Kerberos.