Tim Watts wrote:
(Line wrap warning) - some nice person has already done the job for MIT
The system described above is a bit fragile. Because if one of the systems
fail the password might only be changed in LDAP or Kerberos.
On the face of it - that looks absolutely perfect!
A better approach is taken in the FreeIPA project:
There's a SLAPI plugin for 389 DS which supports MIT Kerberos. A C programmer
might be able to adapt this as an OpenLDAP overlay (similar to OpenLDAP's