[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Kerberos with LDAP backend: password sync
Hello,
We've been using OpenLDAP for all major services (mainly mail,
Shibboleth, web service authentication etc.) based on authentication
over the standard userPassword attribute (and uid as the username) of
the person objectClass.
Now, for particular authentication needs (because particular
applications - like SQUID - do not support the standard PLAIN auth over
TLS/SSL which we usually use), we consider installing Kerberos using our
LDAP server as backend.
Such a setup is meant to continue to allow the standard PLAIN auth over
TLS/SSL (directly by LDAP) in some applications and provide Kerberos
authentication in others, based on the same user/password database
(stored and maintained in LDAP). [I know that in many environments,
userPassword and krbPrincipalKey are deliberately different.]
Generally, the Kerberos installation and user administration process
involves creating Principals (krbPrincipalName) and Principal Keys
(krbPrincipalKey).
My question:
Is there a way to automatically populate (either internally, via LDAP
configuration, or externally, by running - for example - an external
script) the values of krbPrincipalName and krbPrincipalKey attributes,
so that these values can be produced by the values of the currently used
attributes (uid, userPassword, including possibly others.)? This would
allow initial creation of values for the above attributes using the same
password value.
Here: https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html I
have found a quite descriptive tutorial, which, unfortunately, does not
cover the above issues.
Any feedback and system design advice will be appreciated.
Thanks in advance,
Nick