[30951] in Kerberos
Re: LDAP-Kerberos sync passwords
daemon@ATHENA.MIT.EDU (Simo Sorce)
Tue Mar 31 10:38:53 2009
From: Simo Sorce <ssorce@redhat.com>
To: Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com>
In-Reply-To: <qs69a6-7o4.ln1@nb2.stroeder.com>
Date: Tue, 31 Mar 2009 10:37:30 -0400
Message-Id: <1238510250.4858.13.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Tue, 2009-03-31 at 12:12 +0200, Michael Ströder wrote:> Adriana Gologaneanu wrote:> > Debian Etch> > - slapd: 2.3.30-5+etch2> > - krb5-kdc: 1.4.4-7etch6> > > > I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data> > to be stored in an LDAP server.> > Let me test it and I will give you a feedback.> > It won't help since the credentials are stored in different attributes.> > You need something which syncs the credential attributes. This is e.g.> possible with OpenLDAP/Heimdal and a server-side overlay (server-side> plugin) called smbk5pwd which intercepts the LDAP Password Modify> Extended Operation requests and then sets all relevant attributes. The> FreeIPA folks have implemented something similar for MIT KDC with Fedora> Directory Server. I don't know a solution for OpenLDAP / MIT KDC though.> > Also note that the LDAP schema for MIT KDC and heimdal KDC differ.
The FreeIPA plugin has been written using the SLAPI interface. I thinkOpenLDAP still support that interface too, so maybe it is not toodifficult to port the plugin to OpenLDAP.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
