Derek Zhou wrote:
Michael Ströder writes:
> On 2/14/19 8:19 AM, Derek Zhou wrote:
>> Better use kerberos for advanced password policy requirements. You can
>> use SASL to bridge LDAP's userPassword checking to a kerberos backend so
>> everything still work and much safer.
> By which definition of "safe" is adding more complexity safer?
> Especially you don't know how the original poster does password changes.
> Maybe he wants to use ppolicy response controls etc.
Yeah, adding kerberos is a complexity and you cannot change password
via ldap anymore; has to go through the kerberos route. My notion of
"safe" is only referring to the fact that the password text is not
stored anywhere and the rogue admin cannot read user's passwords.
slapd does not store plaintext passwords either.
As for kerberos, you can always run the KDC with OpenLDAP as its backing store,
and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a
user's LDAP password. IMO this is a superior solution since a single LDAP-based
admin tool can take care of standard LDAP as well as Kerberos administration.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/