[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap in heterogenous environment



Howard,

Can you provide a link to that discussion's thread?

Thanks - Tod

Howard Chu wrote:

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jerome Walter
>
> > On Sat, Apr 19, 2003 at 06:23:33PM -0600, David Smith wrote:
> > > I can confirm that those rumors are true. We are doing just that
> > > (including Kerberos) at my place of employment. There is one caveat:
> > > your NT passwords must be stored as hashes in LDAP rather than in
> > > Kerberos. The Samba PDC authenticates to those rather than
> > to kerberos
> > > in our setup.
> >
> > Isn't it possible to use Kerberos for the authentication and
> > LDAP for storing
> > user data (account, uid ...) ?
> > This being done, the password should not be windows hashes
> > but kerberos
> > crypted (i think this is des/md5). But storing passwords in
> > LDAP in not as
> > secure as storing it in Kerberos database, as LDAP as not
> > been thought as an
> > authenticator and is designed for public data.
> >
> > This have been discussed here befre, i think, or perhaps it
> > was on Kerberos
> > Mailing Lists.
>
> This has been discussed here before. The solution that we recommend is to use
> Heimdal with PADL's hdb-ldap backend and Symas' patches. (Not all of the
> patches were present in Heimdal 0.5.2 so it seems you still have to apply
> some by hand.) This approach gives the tightest integration, putting the
> Kerberos user database in LDAP itself.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support