[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Very quick pointer


On 05/28/2012 10:25 PM, Tim Watts wrote:
> 1) Rig OpenLDAP so all password changes get sent to the kerberos
> server but do not use it for authentication. In the meantime we will
> continue authenticate with the SSHA1 hashes in the user's LDAP
> entry.
The usual way to do this on most *nix systems is to actually 'rig' the
PAM. In debian for example you setup your /etc/pam.d/common-password to
contain something like:

password   sufficient pam_krb5.so ignore_root
password   required   pam_unix.so nullok obscure min=4 max=8 sha256

this sets up most of your tools to use the right modules when changing
the password, e.g. 'passwd'.

I do not know if you could do something like 'referring' a password
change request from the OpenLDAP server to the kerberos server but since
this would be an invitation von mitm attacks I doubt it.

> 2) After some time (months) when everyone has eventually done a
> password change, the Kerberos server will be well enough in sync. Now
> I would like to switch OpenLDAP to using kerberos on the backend (ie
> for binds etc) and I will purge the SSHA1 hashes.

We successfully auth against kerberos with our LDAP, you might be
interested in reading the SASL section of man slapd-config. Make sure
you ahve compiled your OpenLDAP with SASL support and have successfully
kerberized your server.

happy configuration party :)

Technische Universität Berlin - FGINET

Bernd May
System Administration

Attachment: signature.asc
Description: OpenPGP digital signature