[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos with LDAP backend: password sync



Nick Milas wrote:
On 21/7/2011 8:50 ÏÎ, Michael StrÃder wrote:

Dan White wrote:


See:

contrib/slapd-modules/smbk5pwd/

Note that this overlay only works when using heimdal software for the
KDC which uses a different LDAP schema.

Since the orginal poster mentioned attributes krbPrincipalName and
krbPrincipalKey he seems to use MIT Kerberos.

Thank you all for your feedback.

Yes, it's the MIT Kerberos. And, after looking into smbk5pwd, it does
the opposite (of what I want): it automatically gets value for
userPassword based on the Principal key (krb5Key) attribute (using the
krb5-kdc.schema).

I am looking if it is possible to automatically populate/produce
krbPrincipalKey attribute values (kerberos.schema) based on current
userPassword attribute values (person objectClass in core.schema),
without knowing the stored password (encoded mainly as MD5).

Obviously Not.

Any ideas?

Generating a Kerberos key requires knowing the original plaintext that will be used to derive the key. A hashed password cannot be simply reversed into its original plaintext; that's the point of hashing it.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/