SASL pass-through autentication with a ldap-backend KDC

[Guillaume Rousse <Guillaume.Rousse@inria.fr>]

Hello list.

Reading http://www.openldap.org/doc/admin24/security.html#SASL password 
storage scheme, I understand autentication can be delegated to an 
external mechanisme. Such as, for instance, a kerberos server. In this 
case, it is advised to prevent changing passwords in the directory.

What happens if the autentication provider is an heimdal server, using 
OpenLDAP as its backend, and smbkrb5 overlay to keep ldap, samba and 
kerberos password synced ? Does pass-through still work ? And it is 
recommended then to make the userPassword attribute read-ony, but still 
use Exop PasswordChange to change samba and kerberos attributes ?

I didn't tested it yet, but it look very interesting if it works. 
Particulary because heimdal password change through kpassword doesn't 
use ExOp PasswordChange operation, but only update kerberos and samba 
passwords.

I know smbkrb5 has a special {smbkrb5} password storage scheme for 
redirecting autentication against kerberos password internally, not 
relying on a external SASL process. But it's only usable if smbkrb5 
overlay is available (some of our slaves servers are centos-based, and 
don't have this overlay, but still need to autenticate users). And the 
trick of setting password-hash directive in slapd.conf to {smbkrb5} to 
prevent overwriting of userPassword attribute on PasswordChange 
operation with a normal value has the drawback than even pure ldap 
administrative accounts (syncrepl, for instance) get redirected to 
kerberos password for autentication, whereas only our users have 
principals currently.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62