[Date Prev][Date Next] [Chronological] [Thread] [Top]

krb5PrincipalName and userPassword

To: openldap-software@openldap.org
Subject: krb5PrincipalName and userPassword
From: Turbo Fredriksson <turbo@bayour.com>
Date: Fri, 07 Sep 2007 17:22:33 +0200
Organization: LDAP/Kerberos expert wannabe
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.95 (gnu/linux)

I've just been playing with the ppolicy overlay and noticed
that I wasn't locked out! Took a while to figure out, but I
was only locked out if I was using a simple bind!

I've always used:

     userPassword: {SASL}turbo@INT.DOMAIN.TLD
     krb5PrincipalName: turbo@INT.DOMAIN.TLD

But before testing ppolicy, I changed the userPassword
to '{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==' (=> 'secret').


I always thought that these two went hand in hand, but
my tests now shows that they are not. Is this so?!

Can this have something to do with my sasl-regexp?

----- s n i p -----
sasl-regexp
        uid=(.*),cn=int.domain.tld,cn=gssapi,cn=auth
        ldap:///c=SE??sub?krb5PrincipalName=$1@INT.DOMAIN.TLD
----- s n i p -----

So the result of this is that I can have one password
for simple binds and one for SASL binds... Not a bad
thing, but still...


Is it possible to apply the ppolicy on SASL binds?

Follow-Ups:
- Re: krb5PrincipalName and userPassword
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: krb5PrincipalName and userPassword
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Automatic referral chasing
Next by Date: Re: Automatic referral chasing
Index(es):
- Chronological
- Thread