On 29/05/12 17:42, Michael Ströder wrote:
Tim Watts wrote:
http://www.opinsys.fi/en/smbkrb5pwd-password-syncing-for-openldap-mit-kerber... (Line wrap warning) - some nice person has already done the job for MIT Kerberos :->>>
The system described above is a bit fragile. Because if one of the systems fail the password might only be changed in LDAP or Kerberos.
True.
In this case, the correct scenario for my environment is to fail the password change completely if the backends are not all contactable.
One of the points of using kerberos is not to have cleartext (or decryptable) passwords lying around (the other being very secure methods of challenging the password), which you'd have to do to put the password change in a queue for delayed changing - and I cannot see[1] any other way to safely queue a Kerberos hash in a documented way - unlike an LDAP userPassword where you could possibly precompute a SSHA1 hash and queue that.
[1] Which does not mean it is impossible, but I would be very interested in how it would be possible.
On the face of it - that looks absolutely perfect!
Hmm...
A better approach is taken in the FreeIPA project: There's a SLAPI plugin for 389 DS which supports MIT Kerberos. A C programmer might be able to adapt this as an OpenLDAP overlay (similar to OpenLDAP's slapo-smbk5pwd).
Ciao, Michael.
slapi? Not heard of those - I shall go Google.
Many thanks for all that - interesting stuff :)
Cheers
Tim