[19970] in Kerberos_V5_Development
Re: Why kdb5_ldap_util create does not need -H but kdb5_ldap_util
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 10 01:35:23 2019
To: =?UTF-8?B?0JTQuNC70Y/QvSDQn9Cw0LvQsNGD0LfQvtCy?=
<dilyan.palauzov@aegee.org>,
<krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <460d9a05-3339-dc3c-f665-39ba2241dcbb@mit.edu>
Date: Tue, 10 Sep 2019 01:34:54 -0400
MIME-Version: 1.0
In-Reply-To: <c4188973c8c291a1cf5345f0fd62849554d53a08.camel@aegee.org>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 9/6/19 11:43 AM, Дилян Палаузов wrote:
> Alright. While “kdb5_ldap_util create -r Y.EXAMPLE” does take the ldap address from the ldap_servers setting for the
> realm/domain, so no -H parameter is necessary, how is “kdb5_ldap_util list” supposed to obtain the address of the
> ldap_server to connect to? Does it use, if -H is missing, the ldap_server of the default domain?
Yes.
> Is there any way that MIT Kerberos withLDAP can use the
> user passwords stored in inetorgperson:userPassword attribute, instead from the krbPrincipalKey: attribute? The use
> case is to reuse an existing infrastructure, where passwords are already hashed in userPassword.
No, a Kerberos database cannot use hashed LDAP passwords. Kerberos uses
an enctype-specific string-to-key conversion on passwords, and that
conversion doesn't resemble the password hashing used in LDAP.
> admin/conf_ldap.html proposes these access rigths:
These and some of the other rights can be removed from the
documentation, as far as I can tell. They may date back to the Novell
eDirectory origins of the LDAP KDB module.
I filed https://github.com/krb5/krb5/pull/974 to update the
documentation, and will merge it after review. Thanks for the detailed
feedback. (Also, per the ticket you filed a week ago, I will look into
adding epub versions of the documentation.)
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
