[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: OpenLDAP 2.1 Released
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson
> >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
> Howard> As Tim already mentioned, you do all password management
> Howard> using only LDAP tools. The syntax for the userPassword
> Howard> attribute is an arbitrary cleartext string. You just use
> Howard> ldapmodify to set it, and you don't use the saslpasswd
> Howard> command any more since you don't use sasldb any more.
>
> And if one uses Kerberos V? My 'userPassword' attribute is currently
> of the form '{KERBEROS}USERPRINCIPAL' and I don't change password in
> LDAP, but in Kerberos.
That is an ugly, insecure, slow-performing hack. If you have Kerberos V then
you should be using SASL/GSSAPI to login to LDAP, and completely ignoring
the userPassword attribute.
> Which means that i have to add/delete a user in
> TWO places (really three, I'm using OpenAFS as well).
> The 'only' reason when I started with LDAP a couple of years ago, was
> so that I could have all in one place. This was with OpenLDAP 1.x (using
> 'userPassword={CRYPT}PASSWORD'. By needing/wanting secure replication,
> I started to use Kerberos and keytabs.
You can have everything in one place. Use the Heimdal KDC with its LDAP
database backend. It works pretty well. It's been at least 5 years since
I've worked with AFS but I know you can shoehorn in a KDC of your choosing
into there as well. Then all of your LDAP, Kerberos, and AFS users will
reside in only one place.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support