BTW I'd appreciate any recommandations about providing kerberos andLDAP authentication (with the same password) in a production setting.Should I use Heimdal or MIT kerberos ?If Heimdal, is it better to use OpenLDAP as a backend for Kerberos orlet Kerberos use its native backend? If OpenLDAP as a backend, is it better to use {K5KEY} as the userPassword or let smbk5pwd synchronize everything?Read the smbk5pwd README.I'v read it. Your answer seems to imply that I should use Heimdal and then OpenLDAP as it's backend. Am I right?It's more than just implied. The README says the code was written for Heimdal. If you want to use smbk5pwd at all, then you must use Heimdal.
Sorry my question was not very clear. I wan't LDAP Simple Binds and Kerberos with the same password. I find smbk5pwd and OpenLDAP as a Heimdal backend very appealing but maybe there are good reasons to use another Kerberos implementationand/or store passwords in the Kerberos native backend (adding e.g. SASL in the mix
to make LDAP Simple Binds use pass-through authentication), obviously ruling out smbk5pwd.
AFAICS with smbk5pwd I have two ways to have LDAP Simple Binds and Kerberos with the same password.Do you recommend using {K5KEY} as the userPassword?If you want LDAP Simple Binds to use the same password as Kerberos, then yes. If not, then no.
1) force use of ldappasswd to make smbk5pwd synchronize all passwords;2) assign {K5KEY} to the userPassword and use kpasswd to change a password.
If I understood correctly, the second method makes the passwords identical by construction while the first allow passwords to desynchronize if changed without ldappasswd.
Best regards, Thierry