[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrating from local LDAP auth to LDAP+kerberos

On 26/09/11 09:56, turbo@bayour.com wrote:
On Mon, 26 Sep 2011 09:05:31 +0100, Tim Watts wrote:

1) Once LDAP is backended with kerberos

I haven't been paying attention the last couple of years, but this used
to be a bad idea (primarily because it's easy to get auth loops ?).

In either case, you can 'bind' LDAP and Kerberos using the userPassword
attribute like so (using Cyrus SASL):


2) Can I migrate users piecemeal, eg remove their LDAP psswords one
by one and (possibly tweaking something on the LDAP directory) have
those users auth through to kerberos, while other users auth to the
LDAP directory, until everyone is moved?

That I actually learned myself last week :). Apparently you can have
userPassword attributes! :)

SHAMELESS PLUG: Have a look at http://www.bayour.com/LDAPv3-HOWTO.html.
getting a little old now, but much of it is still relevant..

DISCLAIMER: Some of the hardcore LDAP admins/coders dislike some of my
recommendations (rightfully), but I'm only trying to make a point :)


Thanks - I will have a read of that link - and thanks for the tip about multiple userPassword attributes



Tim Watts
Personal Blog: http://www.dionic.net/tim/