MIT Kerberos and LDAP Backend Passwords synchronization

To: openldap-technical@openldap.org

Subject: MIT Kerberos and LDAP Backend Passwords synchronization

From: Abdelkader Chelouah <a.chelouah@gmail.com>

Date: Thu, 13 Feb 2014 21:55:39 +0100

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=R2Qn8Kp83immBgSDicpN8EPAFQEgI+aYJ7d0hiRFndU=; b=TQYm5LbcxdXDoCiGV1zhb5/4gIkNC1NXgHjLTwtOLZCMwtQ94oJamns43Fya5Iv+BV vu7RR+q+P6FmkFo1+5yHxWdnKtcC92Gg2lyPS7LjTo8OSOgHWdhLz2ToSA+DBoD37eBj lhhiK6PdWjh4ZmDgTu6ZjcXCJepaZJH+gyshb+mrKD+XXFxMrVUNA+Oa+yHQNQFgBDA7 bsK86jpvfGqptWcQWaoviSnXn64K1cNB8XjtuInrWTq0yA+/+xwS3Q9etBwFuuyV4UbC OzkDpgk3gwDoVnndknp7hGSy5OlycL5itgvmkVPtONIzRy8nCtRqJihxS/ygOCIKHYZG blTA==

Hello all,

I configured a KDC (MIT Kerberos 1.12.1) with an OpenLDAP (2.4.32) Backend. Everything is working fine. We want to migrate smoothly from LDAP password to KDC password. For that purpose, we plan to force user to change their password using ldappasswd command, intercept the password modification with smbkrb5pwd overlay and then change the userPassword attribute for SASL passthrough. I setup up the overlay smbkrb5pwd (last git version) to synchronized LDAP and Kerberos passwords as decribed on

https://github.com/opinsys/smbkrb5pwd

The module is loaded correctly. However, the "ldappasswd" command hangs now. This is apparently due to a locking issue. Is anyone succeeded to configure the overlay ? Is there any other way to synchronize LDAP et KDC passwords when OpenLDAP is used as a Backend ?