On 2/15/19 2:57 AM, Derek Zhou wrote:
Yeah, adding kerberos is a complexity and you cannot change password via ldap anymore; has to go through the kerberos route. My notion of "safe" is only referring to the fact that the password text is not stored anywhere and the rogue admin cannot read user's passwords.
If you set the password-hash directive in slapd.conf and use the Password Modify extended operation (e.g. via CLI tool ldappasswd) then no clear-text password is stored. Choose a salted hash-scheme.
In opposite to that a KDC must store a reversibly encrypted shared secret derived from user's password which can be directly abused in Kerberos protocol if the KDC system gets hacked.
I haven't found a good and up to date howto with step to step instrutctions on ppolicy with cn=config. I'd appreciate if someone here give my a pointer.
I have no docs at hand which are better than OpenLDAP's admin guide.
Ciao, Michael.