[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Fwd: Re: KDC {K5KEY} userPassword problem] Solved!!

To: Kent Nasveschuk <knasveschuk@mbl.edu>
Subject: Re: [Fwd: Re: KDC {K5KEY} userPassword problem] Solved!!
From: Howard Chu <hyc@symas.com>
Date: Wed, 05 Dec 2007 06:09:15 -0800
Cc: OpenLDAP <openldap-software@openldap.org>
In-reply-to: <1196861738.3312.10.camel@mbl2.klnc.net>
References: <1196861738.3312.10.camel@mbl2.klnc.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b2pre) Gecko/2007111122 SeaMonkey/2.0a1pre

Kent Nasveschuk wrote:

Although I specified in slapd.conf on the slave servers:

moduleload              /opt/openldap-2.3.39/lib/smbk5pwd.la

I omitted:

overlay smbk5pwd

I'm guessing slapd never passed credentials to KDC, hence the (49) error
code.

The README states quite clearly that the overlay evaluates the Kerberos keys stored in the LDAP entry. It never talks to the KDC; there's no reason to since the KDC's data all resides in the LDAP entry. As I said in my first reply to you - it only works if you actually configure it.

1 more question, how does the smbk5pwd module handle a Kerberos password
that is expired? Is there a specific error code? I suppose I could
expire one then try it.

I guess you're talking about the krb5PasswordEnd attribute. The overlay does not check this at all.

2 days of wrestling with this, finally got it to work.


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

References:
- [Fwd: Re: KDC {K5KEY} userPassword problem] Solved!!
  - From: Kent Nasveschuk <knasveschuk@mbl.edu>

Prev by Date: Re: Problem with K5KEY implementation
Next by Date: syncrepl - ldap_start_tls failed (-11)
Index(es):
- Chronological
- Thread