[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 Released



>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:

    ThierryW> in-directory secret storage seems to be simple
    ThierryW> like you said.. but which syntax for userpassword and who
    ThierryW> generate password (cause by default saslpassword write to
    ThierryW> sasldb..) ?

    Howard> As Tim already mentioned, you do all password management
    Howard> using only LDAP tools. The syntax for the userPassword
    Howard> attribute is an arbitrary cleartext string. You just use
    Howard> ldapmodify to set it, and you don't use the saslpasswd
    Howard> command any more since you don't use sasldb any more.

And if one uses Kerberos V? My 'userPassword' attribute is currently
of the form '{KERBEROS}USERPRINCIPAL' and I don't change password in
LDAP, but in Kerberos. Which means that i have to add/delete a user in
TWO places (really three, I'm using OpenAFS as well).

The 'only' reason when I started with LDAP a couple of years ago, was
so that I could have all in one place. This was with OpenLDAP 1.x (using
'userPassword={CRYPT}PASSWORD'. By needing/wanting secure replication,
I started to use Kerberos and keytabs.