[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP 2.1 Released
>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
ThierryW> in-directory secret storage seems to be simple
ThierryW> like you said.. but which syntax for userpassword and who
ThierryW> generate password (cause by default saslpassword write to
ThierryW> sasldb..) ?
Howard> As Tim already mentioned, you do all password management
Howard> using only LDAP tools. The syntax for the userPassword
Howard> attribute is an arbitrary cleartext string. You just use
Howard> ldapmodify to set it, and you don't use the saslpasswd
Howard> command any more since you don't use sasldb any more.
And if one uses Kerberos V? My 'userPassword' attribute is currently
of the form '{KERBEROS}USERPRINCIPAL' and I don't change password in
LDAP, but in Kerberos. Which means that i have to add/delete a user in
TWO places (really three, I'm using OpenAFS as well).
The 'only' reason when I started with LDAP a couple of years ago, was
so that I could have all in one place. This was with OpenLDAP 1.x (using
'userPassword={CRYPT}PASSWORD'. By needing/wanting secure replication,
I started to use Kerberos and keytabs.