Re: Very quick pointer

On 29/05/12 00:00, Bernd May wrote: > Hey, > > On 05/28/2012 10:25 PM, Tim Watts wrote: >> 1) Rig OpenLDAP so all password changes get sent to the kerberos >> server but do not use it for authentication. In the meantime we will >> continue authenticate with the SSHA1 hashes in the user's LDAP >> entry. > The usual way to do this on most *nix systems is to actually 'rig' the > PAM. In debian for example you setup your /etc/pam.d/common-password to > contain something like: > > password sufficient pam_krb5.so ignore_root > password required pam_unix.so nullok obscure min=4 max=8 sha256 > use_first_pass > > this sets up most of your tools to use the right modules when changing > the password, e.g. 'passwd'. Hi Brend,

Thanks for the reply. Unfortunately there's a problem with that - the user would need their old kerberos password before they could initiate a change and in this case, their old kerberos password is unknown because Kerberos has only just existed. > I do not know if you could do something like 'referring' a password > change request from the OpenLDAP server to the kerberos server but since > this would be an invitation von mitm attacks I doubt it. It will be a bit of a pity in this case if it's not possible :( When using password hashes in the user entry, does slapd receive the plaintext password or does the client generate the hash?