On 26/09/11 09:56, turbo@bayour.com wrote:
On Mon, 26 Sep 2011 09:05:31 +0100, Tim Watts wrote:
- Once LDAP is backended with kerberos
I haven't been paying attention the last couple of years, but this used to be a bad idea (primarily because it's easy to get auth loops ?).
In either case, you can 'bind' LDAP and Kerberos using the userPassword attribute like so (using Cyrus SASL):
userPassword: {SASL}[KERBEROS_PRINCIPAL]
- Can I migrate users piecemeal, eg remove their LDAP psswords one
by one and (possibly tweaking something on the LDAP directory) have those users auth through to kerberos, while other users auth to the LDAP directory, until everyone is moved?
That I actually learned myself last week :). Apparently you can have multiple userPassword attributes! :)
SHAMELESS PLUG: Have a look at http://www.bayour.com/LDAPv3-HOWTO.html. It's getting a little old now, but much of it is still relevant..
DISCLAIMER: Some of the hardcore LDAP admins/coders dislike some of my recommendations (rightfully), but I'm only trying to make a point :)
Hiya
Thanks - I will have a read of that link - and thanks for the tip about multiple userPassword attributes
Cheers
Tim