[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos and DIGEST-MD5
Jose González Gómez wrote:
A question about something I didn't notice before... Is this
synchronization really needed? You seem to imply that the password
information stored in the KDC and in LDAP may differ and they need to be
synchronized. But if Kerberos *uses* LDAP to store the password, doesn't
the password gets changed once you change it in LDAP? What am I missing
here?
This point rises another question... if Heimdal is able to store its
passwords in LDAP, does that mean that changing a password using kpasswd
would change it in LDAP? That would solve this whole issue as long as
you are able to store them in clear text and make the LDAP/Kerberos
synchronization unneeded if you force to change passwords using Kerberos
(possible with LDAP ACLs). Am I right?
The KDC does not store passwords in cleartext. Nor does it store them in
the userPassword attribute. So yes, a synchronization mechanism is
necessary.
Maybe you could stack the
login modules so after successful login using pam_ldap, pam_krb5
connects to the KDC and gets the ticket... would this be possible?
Yes, that's how PAM works. Any further questions along these lines
should be taken to a PAM discussion forum.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support