Re: Very quick pointer
On 29/05/12 17:42, Michael Ströder wrote:
Tim Watts wrote:
>
http://www.opinsys.fi/en/smbkrb5pwd-password-syncing-for-openldap-mit-ker...
> (Line wrap warning) - some nice person has already done the job for MIT
> Kerberos :->>>
The system described above is a bit fragile. Because if one of the systems
fail the password might only be changed in LDAP or Kerberos.
True.
In this case, the correct scenario for my environment is to fail the
password change completely if the backends are not all contactable.
One of the points of using kerberos is not to have cleartext (or
decryptable) passwords lying around (the other being very secure methods
of challenging the password), which you'd have to do to put the password
change in a queue for delayed changing - and I cannot see[1] any other
way to safely queue a Kerberos hash in a documented way - unlike an LDAP
userPassword where you could possibly precompute a SSHA1 hash and queue
that.
[1] Which does not mean it is impossible, but I would be very interested
in how it would be possible.
> On the face of it - that looks absolutely perfect!
Hmm...
A better approach is taken in the FreeIPA project:
There's a SLAPI plugin for 389 DS which supports MIT Kerberos. A C programmer
might be able to adapt this as an OpenLDAP overlay (similar to OpenLDAP's
slapo-smbk5pwd).
Ciao, Michael.
slapi? Not heard of those - I shall go Google.
Many thanks for all that - interesting stuff :)
Cheers
Tim
--
Tim Watts
Personal Email
Personal website and blog: http://www.dionic.net/tim/