[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrating from local LDAP auth to LDAP+kerberos



On Mon, 26 Sep 2011 09:05:31 +0100, Tim Watts wrote:

1) Once LDAP is backended with kerberos

I haven't been paying attention the last couple of years, but this used
to be a bad idea (primarily because it's easy to get auth loops ?).

In either case, you can 'bind' LDAP and Kerberos using the userPassword
attribute like so (using Cyrus SASL):

   userPassword: {SASL}[KERBEROS_PRINCIPAL]

2) Can I migrate users piecemeal, eg remove their LDAP psswords one
by one and (possibly tweaking something on the LDAP directory) have
those users auth through to kerberos, while other users auth to the
LDAP directory, until everyone is moved?

That I actually learned myself last week :). Apparently you can have multiple
userPassword attributes! :)


SHAMELESS PLUG: Have a look at http://www.bayour.com/LDAPv3-HOWTO.html. It's getting a little old now, but much of it is still relevant..

DISCLAIMER: Some of the hardcore LDAP admins/coders dislike some of my
recommendations (rightfully), but I'm only trying to make a point :)