Nick Milas wrote:
On 21/7/2011 8:50 ÏÎ, Michael StrÃder wrote:Dan White wrote:See: contrib/slapd-modules/smbk5pwd/Note that this overlay only works when using heimdal software for the KDC which uses a different LDAP schema. Since the orginal poster mentioned attributes krbPrincipalName and krbPrincipalKey he seems to use MIT Kerberos.
Thank you all for your feedback. Yes, it's the MIT Kerberos. And, after looking into smbk5pwd, it does the opposite (of what I want): it automatically gets value for userPassword based on the Principal key (krb5Key) attribute (using the krb5-kdc.schema). I am looking if it is possible to automatically populate/produce krbPrincipalKey attribute values (kerberos.schema) based on current userPassword attribute values (person objectClass in core.schema), without knowing the stored password (encoded mainly as MD5).
Obviously Not.
Any ideas?
Generating a Kerberos key requires knowing the original plaintext that will be used to derive the key. A hashed password cannot be simply reversed into its original plaintext; that's the point of hashing it.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/