[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP in heterogenous environment



where can the required patches be found for heimdal to use openldap for
a backend?

-----Original Message-----
From: Howard Chu [mailto:hyc@highlandsun.com]
Sent: Sunday, April 20, 2003 10:36 AM
To: walter+openldap@efrei.fr; openldap-software@OpenLDAP.org
Subject: RE: ldap in heterogenous environment


> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jerome
Walter

> On Sat, Apr 19, 2003 at 06:23:33PM -0600, David Smith wrote:
> > I can confirm that those rumors are true. We are doing just that
> > (including Kerberos) at my place of employment. There is one caveat:
> > your NT passwords must be stored as hashes in LDAP rather than in
> > Kerberos. The Samba PDC authenticates to those rather than
> to kerberos
> > in our setup.
>
> Isn't it possible to use Kerberos for the authentication and
> LDAP for storing
> user data (account, uid ...) ?
> This being done, the password should not be windows hashes
> but kerberos
> crypted (i think this is des/md5). But storing passwords in
> LDAP in not as
> secure as storing it in Kerberos database, as LDAP as not
> been thought as an
> authenticator and is designed for public data.
>
> This have been discussed here befre, i think, or perhaps it
> was on Kerberos
> Mailing Lists.

This has been discussed here before. The solution that we recommend is
to use
Heimdal with PADL's hdb-ldap backend and Symas' patches. (Not all of the
patches were present in Heimdal 0.5.2 so it seems you still have to
apply
some by hand.) This approach gives the tightest integration, putting the
Kerberos user database in LDAP itself.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.