[28993] in Kerberos
Re: Password Syncing to Kerberos using SFU's ssod
daemon@ATHENA.MIT.EDU (John Hascall)
Wed Jan 9 12:36:51 2008
To: "Christopher D. Clausen" <cclausen@acm.org>
In-reply-to: Your message of Wed, 09 Jan 2008 11:13:06 -0600.
<79DB3861B3D6480C879661E5987F4BE0@CDCHOME>
Date: Wed, 09 Jan 2008 11:36:00 CST
Message-ID: <504.1199900160@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> Colin Simpson <Colin.Simpson@iongeo.com> wrote:
> > I'm looking at finding a new solution to syncing password between AD
> > and
> > Kerberos. We had been using CEDAR for this and it's great but the
> > passwdHK dll on windows hates it if you pass in 8 bit ascii passsword.
> AD already is Kerberos. Why don't you just use your Active Directory
> controllers as the Kerberos KDCs as well?
AD is approximately Kerberos. And there are myriad reasons, technical,
politcal, organizational, and more, why an organization might not do so.
In our case, we wrote our own code to do the sync process.
For AD to MIT changes it is a DLL that hooks into the AD
as the 'local password quality checking' DLL. On the MIT
side it was the insertion of a small bit of code in about
a half dozen places (princ create, update, delete, chpass,
etc) into the server-side kadm library. If you check the
archives of this group, I'm pretty sure I've posted the
our server-side hooks (anyone who has added their own
incremental-kprop between MIT KDCs is doing essentially
the same thing).
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
