[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos with LDAP backend: password sync



Nick Milas wrote:
Yes, it's the MIT Kerberos. And, after looking into smbk5pwd, it does the
opposite (of what I want): it automatically gets value for userPassword based
on the Principal key (krb5Key) attribute (using the krb5-kdc.schema).

No, it can do two things:

1. Intercept a Password Modify Extended Request and populate krb5Key based on the new clear-text password.

2. Intercept a simple Bind Request and check the user's password against krb5Key if userPassword is set to the value {K5KEY}.

From what I understood in your original posting you want 1. But you have to use heimdal as KDC for that.

I am looking if it is possible to automatically populate/produce
krbPrincipalKey attribute values (kerberos.schema) based on current
userPassword attribute values (person objectClass in core.schema), without
knowing the stored password (encoded mainly as MD5).

Maybe you can extend smbk5pwd to do that or derive your own overlay from that code.

Ciao, Michael.