[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MIT Kerberos and LDAP Backend Passwords synchronization

To: Ryan Tandy <rtandy@sd63.bc.ca>, openldap-technical@openldap.org
Subject: Re: MIT Kerberos and LDAP Backend Passwords synchronization
From: Abdelkader Chelouah <a.chelouah@gmail.com>
Date: Fri, 14 Feb 2014 00:18:03 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=crhDb0Dr8GQaZNnFiaN9R0OS5Ss8ivPT75ooHm9dxHk=; b=BAEUGwx389i0CoPyBC4kH2Jo2yHUqbZYBaJOuGc70j+pDPDfnDmBqcRPdqbmWChYK5 30BuMogHmsyuGaXu6ZZ9NHJ7x+gUggkfrD1s5sdzG4vMwfozx+Sc/DjYTBFo5rrP63Xi 8+ULt889YwWlIacEZQhw8s2pPETcVIXHxRg+hChBXNZThVSW3lFRjGDSDXRLnW/Halr8 jd9XnvpbvbYKzsq5C/iT2h7E5oz3tdvtAZeaRp33+Hy3iUmNZv1zFyITai+Mhpi59gNI L6COnLA7IBS+XVJ2c6t5s2o/wX6K3lmbCP98aaXs3+Nbm2z8rU8Oll9HY3ildYHmsH7A FFSA==
In-reply-to: <52FD368C.3050408@sd63.bc.ca>
References: <CALD-T+kd15z5fseaQzJWvnVHDSxyREj_5NOrU9f7Ky1SR=KmMw@mail.gmail.com> <52FD368C.3050408@sd63.bc.ca>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

Actually, that's the point, my kerberos data and the userPassword arenot in separate entries, so the locking issue. As far as concerned SASLpassthrough, we are migrating users from OpenLDAP to KDC+OpenLDAPBackend. As we cannot derive a user password from the hash, first wehave to force users to change their password (for the synchronizationwith the KDC password) and then to use SASL passthrough.


On 13/02/2014 22:18, Ryan Tandy wrote:

On 14-02-13 12:55 PM, Abdelkader Chelouah wrote:

The module is loaded correctly. However, the "ldappasswd" command
hangs now. This is apparently due to a locking issue. Is anyone
succeeded to configure the overlay ?

I'm using (slightly modified [1]) smbkrb5pwd in production and haven't
encountered any such locking issue. Can you provide more details about
your setup, and perhaps a debug log of such a hung request? I assume
your userPassword attribute and Kerberos data are in separate entries as
per the README.

[1] https://github.com/sd63/smbkrb5pwd/compare/opinsys:master...master

BTW, I don't understand your mention of SASL passthrough. The point of
smbkrb5pwd is to synchronize the userPassword and Kerberos password. If
you want to use SASL passthrough instead, then you should just change
the Kerberos password directly, right?

Follow-Ups:
- Re: MIT Kerberos and LDAP Backend Passwords synchronization
  - From: Ryan Tandy <rtandy@sd63.bc.ca>

References:
- MIT Kerberos and LDAP Backend Passwords synchronization
  - From: Abdelkader Chelouah <a.chelouah@gmail.com>
- Re: MIT Kerberos and LDAP Backend Passwords synchronization
  - From: Ryan Tandy <rtandy@sd63.bc.ca>

Prev by Date: Re: MIT Kerberos and LDAP Backend Passwords synchronization
Next by Date: Re: MIT Kerberos and LDAP Backend Passwords synchronization
Index(es):
- Chronological
- Thread