[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MIT Kerberos and LDAP Backend Passwords synchronization



On 14-02-13 03:18 PM, Abdelkader Chelouah wrote:
> Actually, that's the point, my kerberos data and the userPassword
> are not in separate entries, so the locking issue.

If it isn't possible for you to change that, then I don't think you can
use smbkrb5pwd. smbk5pwd does allow this structure, but only works with
Heimdal.

> As far as concerned SASL passthrough, we are migrating users from
> OpenLDAP to KDC+OpenLDAP Backend. As we cannot derive a user password
> from the hash, first we have to force users to change their password
> (for the synchronization with the KDC password) and then to use SASL
> passthrough.

Thanks. I think I understand now. I have no good suggestions, only
several poor ones. For example, you could keep the KDC database outside
of LDAP during your transition period and then migrate it to LDAP later.
Or you could use a custom program or script, instead of ldappasswd, that
would authenticate against LDAP and perform an administrative Kerberos
password change without the old password. I'm sure neither of those are
the answer you wanted.

-- 
Ryan Tandy - Programmer/Analyst           rtandy@sd63.bc.ca
School District 63 (Saanich)                +1 250 652 7385

Attachment: signature.asc
Description: OpenPGP digital signature