Hey, On 05/28/2012 10:25 PM, Tim Watts wrote: > 1) Rig OpenLDAP so all password changes get sent to the kerberos > server but do not use it for authentication. In the meantime we will > continue authenticate with the SSHA1 hashes in the user's LDAP > entry. The usual way to do this on most *nix systems is to actually 'rig' the PAM. In debian for example you setup your /etc/pam.d/common-password to contain something like: password sufficient pam_krb5.so ignore_root password required pam_unix.so nullok obscure min=4 max=8 sha256 use_first_pass this sets up most of your tools to use the right modules when changing the password, e.g. 'passwd'. I do not know if you could do something like 'referring' a password change request from the OpenLDAP server to the kerberos server but since this would be an invitation von mitm attacks I doubt it. > 2) After some time (months) when everyone has eventually done a > password change, the Kerberos server will be well enough in sync. Now > I would like to switch OpenLDAP to using kerberos on the backend (ie > for binds etc) and I will purge the SSHA1 hashes. We successfully auth against kerberos with our LDAP, you might be interested in reading the SASL section of man slapd-config. Make sure you ahve compiled your OpenLDAP with SASL support and have successfully kerberized your server. happy configuration party :) -- Technische Universität Berlin - FGINET Bernd May System Administration
Attachment:
signature.asc
Description: OpenPGP digital signature