[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Synchronize LDAP with DCE ?



This might be of interest to some of you...

(This is a modified copy of a reply I sent)

Someone wrote:
> I wrote:
> > Someone else wrote:
> > >I'd like to know if it is possible to bind to an entry in an LDAP database, with
> > >password for binding obtained from an "external" source, e.g. NIS, DCE, etc.
> > Yes, Kerberos.
> But the DCE version we're using supports Kerberos V only.  Will future version
> of OpenLDAP support Kerberos V?

Yes.  In fact, you might be able to use OpenLDAP with KV today using KV's
IV API support.  Minor changes might be needed.  And, of course, someone
could (or likely has) extend the protocol to support a KV specific bind.
But the future will be KV via SASL.

> > One could also modify the code to support lookup via
> > getpwent(), which on would give you /etc/passwd, NIS, PAM
> > integration. 
> Yes, it works with minor modification.

I was thinking someone could easily add support for to allow:
	dn: uid=foo,dc=bar
	objectclass: person
	objectclass: dcObject
	uid: foo
	userPassword: {unix}foo

The server would key on {unix} method, the hash value "foo" is
actually the user to look up...

In fact, maybe kerberos should use this approach:
	userPassword:	{kerberos}bjensen@umich.edu

instead of using the krbName approach.

Of course, someone might want to extend slapd to support multiple
user passwords...

Note: overloading userPassword with the kerberos may not actual be wise.