[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd, SASL passthrough and changing passwords smashing userPassword

To: Tim Watts <tw@dionic.net>, openldap-technical@openldap.org
Subject: Re: slapd, SASL passthrough and changing passwords smashing userPassword
From: Howard Chu <hyc@symas.com>
Date: Mon, 25 Feb 2013 07:37:46 -0800
In-reply-to: <512B7AF3.7070201@dionic.net>
References: <512B7AF3.7070201@dionic.net>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 SeaMonkey/2.19a1

Tim Watts wrote:

Hi folks,

I hope this is a quick and easy one :)

I have slapd 2.4.23 working with passthrough to MIT kerberos via
saslauthd. I use smbkrb5pwd (a hack on smbk5pwd) to pass password
changes through to kerberos (creating or modifying the target principle
as required)

I haven't seen smbkrb5pwd but, as the author of smbk5pwd, it sounds like thehack is inadequate. smbk5pwd provides the {K5KEY} password hash mechanism, soyou can use the Kerberos password directly, and you don't need {SASL} at all.

To enable a particular user to bind to slapd with their kerberos
password, I'm setting:

userPassword: {SASL}myuid@MY.KERBEROS.REALM.EXAMPLE.COM

This works *very nicely*. Except one thing...

Using passwd via pam_ldap or ldappasswd directly smashes userPassword:
and replaces the value with the password hash. Both machanisms are doing
EXOP password changes.


Is there any way to stop this happening when the mechanism in
userPassword is {SASL} ?


Set password-hash to {SASL} in slapd.conf/slapd-config.

Or maybe there is another way to enable global SASL password passthroughs?

======

I'm in a transition phase. I need to import the slapcat output from the
old LDAP server to my new one. At this point, all authentication should
be done with the existing userPassword hash. Password changes should
update this hash and create/modify principles on the kerberos server.


Set the password-hash to {SASL} and whatever other hash you want to use.

3 months later, I want to switch the auth mechanism on all accounts to
passthrough to kerberos, at which point, ldappasswd should still work
but via smbkrb5pwd updating kerberos.

Maybe my strategy is wrong, but that's the basic problem I need to solve.

Am I trying this the wrong way?

Cheers and thanks in advance for any ideas.

Tim



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: slapd, SASL passthrough and changing passwords smashing userPassword
  - From: Tim Watts <tw@dionic.net>

References:
- slapd, SASL passthrough and changing passwords smashing userPassword
  - From: Tim Watts <tw@dionic.net>

Prev by Date: Re: slapd, SASL passthrough and changing passwords smashing userPassword
Next by Date: Re: slapd, SASL passthrough and changing passwords smashing userPassword
Index(es):
- Chronological
- Thread