[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd, SASL passthrough and changing passwords smashing userPassword
- To: openldap-technical@openldap.org
- Subject: slapd, SASL passthrough and changing passwords smashing userPassword
- From: Tim Watts <tw@dionic.net>
- Date: Mon, 25 Feb 2013 14:53:39 +0000
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
Hi folks,
I hope this is a quick and easy one :)
I have slapd 2.4.23 working with passthrough to MIT kerberos via
saslauthd. I use smbkrb5pwd (a hack on smbk5pwd) to pass password
changes through to kerberos (creating or modifying the target principle
as required)
To enable a particular user to bind to slapd with their kerberos
password, I'm setting:
userPassword: {SASL}myuid@MY.KERBEROS.REALM.EXAMPLE.COM
This works *very nicely*. Except one thing...
Using passwd via pam_ldap or ldappasswd directly smashes userPassword:
and replaces the value with the password hash. Both machanisms are doing
EXOP password changes.
Is there any way to stop this happening when the mechanism in
userPassword is {SASL} ?
Or maybe there is another way to enable global SASL password passthroughs?
======
I'm in a transition phase. I need to import the slapcat output from the
old LDAP server to my new one. At this point, all authentication should
be done with the existing userPassword hash. Password changes should
update this hash and create/modify principles on the kerberos server.
3 months later, I want to switch the auth mechanism on all accounts to
passthrough to kerberos, at which point, ldappasswd should still work
but via smbkrb5pwd updating kerberos.
Maybe my strategy is wrong, but that's the basic problem I need to solve.
Am I trying this the wrong way?
Cheers and thanks in advance for any ideas.
Tim
--
Tim Watts
Personal Blog:
http://www.dionic.net/tim/
"She got her looks from her father. He's a plastic surgeon."