Hey,
On 05/28/2012 10:25 PM, Tim Watts wrote:
- Rig OpenLDAP so all password changes get sent to the kerberos
server but do not use it for authentication. In the meantime we will continue authenticate with the SSHA1 hashes in the user's LDAP entry.
The usual way to do this on most *nix systems is to actually 'rig' the PAM. In debian for example you setup your /etc/pam.d/common-password to contain something like:
password sufficient pam_krb5.so ignore_root password required pam_unix.so nullok obscure min=4 max=8 sha256 use_first_pass
this sets up most of your tools to use the right modules when changing the password, e.g. 'passwd'.
I do not know if you could do something like 'referring' a password change request from the OpenLDAP server to the kerberos server but since this would be an invitation von mitm attacks I doubt it.
- After some time (months) when everyone has eventually done a
password change, the Kerberos server will be well enough in sync. Now I would like to switch OpenLDAP to using kerberos on the backend (ie for binds etc) and I will purge the SSHA1 hashes.
We successfully auth against kerberos with our LDAP, you might be interested in reading the SASL section of man slapd-config. Make sure you ahve compiled your OpenLDAP with SASL support and have successfully kerberized your server.
happy configuration party :)