[Date Prev][Date Next]
Re: Kerberos with LDAP backend: password sync
Nick Milas wrote:
On 21/7/2011 8:50 ÏÎ, Michael StrÃder wrote:
Dan White wrote:
Note that this overlay only works when using heimdal software for the
KDC which uses a different LDAP schema.
Since the orginal poster mentioned attributes krbPrincipalName and
krbPrincipalKey he seems to use MIT Kerberos.
Thank you all for your feedback.
Yes, it's the MIT Kerberos. And, after looking into smbk5pwd, it does
the opposite (of what I want): it automatically gets value for
userPassword based on the Principal key (krb5Key) attribute (using the
I am looking if it is possible to automatically populate/produce
krbPrincipalKey attribute values (kerberos.schema) based on current
userPassword attribute values (person objectClass in core.schema),
without knowing the stored password (encoded mainly as MD5).
Generating a Kerberos key requires knowing the original plaintext that will be
used to derive the key. A hashed password cannot be simply reversed into its
original plaintext; that's the point of hashing it.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/