[Date Prev][Date Next]
Very quick pointer
- To: firstname.lastname@example.org
- Subject: Very quick pointer
- From: Tim Watts <email@example.com>
- Date: Mon, 28 May 2012 21:25:54 +0100
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
My LDAP skillz are (very) slowly coming along - thanks to good folk
here, I think I have figured out ACLs and I have managed to get
rwm/relay to emulate an old tree structure (well enough) whilst being
able to design a better structure for our department.
My next question is just a request for a pointer.
My understanding of LDAP authentication is very limited. What I would
like to do is a 2 phase transition to kerberos (which I do understand):
1) Rig OpenLDAP so all password changes get sent to the kerberos server
but do not use it for authentication. In the meantime we will continue
authenticate with the SSHA1 hashes in the user's LDAP entry.
2) After some time (months) when everyone has eventually done a password
change, the Kerberos server will be well enough in sync. Now I would
like to switch OpenLDAP to using kerberos on the backend (ie for binds
etc) and I will purge the SSHA1 hashes.
I most interested in some pointers for stage 1) is someone could be kind
enough to help me out - is there a particular name for this mechanism,
or a module that handles this kind of stuff?
2) I think I can probably google for myslef (keywords SASL and/or GSSAPI
and/or LDAP+Kerberos. I've had a skim but did not notice an obvious way
to handle 1) without 2)
I apologise if it's a dumb question :-o
Many thanks in advance :)
Personal Blog: http://www.dionic.net/tim/