On 2/15/19 2:57 AM, Derek Zhou wrote:
Yeah, adding kerberos is a complexity and you cannot change password
via ldap anymore; has to go through the kerberos route. My notion of
"safe" is only referring to the fact that the password text is not
stored anywhere and the rogue admin cannot read user's passwords.
If you set the password-hash directive in slapd.conf and use the
Password Modify extended operation (e.g. via CLI tool ldappasswd) then
no clear-text password is stored. Choose a salted hash-scheme.
In opposite to that a KDC must store a reversibly encrypted shared
secret derived from user's password which can be directly abused in
Kerberos protocol if the KDC system gets hacked.
I haven't found a good and up to date howto with step to step
instrutctions on ppolicy with cn=config. I'd appreciate if someone
here give my a pointer.
I have no docs at hand which are better than OpenLDAP's admin guide.