My LDAP skillz are (very) slowly coming along - thanks to good folk here, I think I have figured out ACLs and I have managed to get rwm/relay to emulate an old tree structure (well enough) whilst being able to design a better structure for our department.
My next question is just a request for a pointer.
My understanding of LDAP authentication is very limited. What I would like to do is a 2 phase transition to kerberos (which I do understand):
1) Rig OpenLDAP so all password changes get sent to the kerberos server but do not use it for authentication. In the meantime we will continue authenticate with the SSHA1 hashes in the user's LDAP entry.
2) After some time (months) when everyone has eventually done a password change, the Kerberos server will be well enough in sync. Now I would like to switch OpenLDAP to using kerberos on the backend (ie for binds etc) and I will purge the SSHA1 hashes.
================== I most interested in some pointers for stage 1) is someone could be kind enough to help me out - is there a particular name for this mechanism, or a module that handles this kind of stuff? ==================
2) I think I can probably google for myslef (keywords SASL and/or GSSAPI and/or LDAP+Kerberos. I've had a skim but did not notice an obvious way to handle 1) without 2)
I apologise if it's a dumb question :-o
Many thanks in advance :)