BTW I'd appreciate any recommandations about providing kerberos and LDAP authentication (with the same password) in a production setting. Should I use Heimdal or MIT kerberos ? If Heimdal, is it better to use OpenLDAP as a backend for Kerberos or let Kerberos use its native backend? If OpenLDAP as a backend, is it better to use {K5KEY} as the userPassword or let smbk5pwd synchronize everything?
Read the smbk5pwd README.
I'v read it. Your answer seems to imply that I should use Heimdal and then OpenLDAP as it's backend. Am I right?
It's more than just implied. The README says the code was written for Heimdal. If you want to use smbk5pwd at all, then you must use Heimdal.
Sorry my question was not very clear. I wan't LDAP Simple Binds and Kerberos with the same password. I find smbk5pwd and OpenLDAP as a Heimdal backend very appealing but maybe there are good reasons to use another Kerberos implementation and/or store passwords in the Kerberos native backend (adding e.g. SASL in the mix to make LDAP Simple Binds use pass-through authentication), obviously ruling out smbk5pwd.
Do you recommend using {K5KEY} as the userPassword?
If you want LDAP Simple Binds to use the same password as Kerberos, then yes. If not, then no.
AFAICS with smbk5pwd I have two ways to have LDAP Simple Binds and Kerberos with the same password. 1) force use of ldappasswd to make smbk5pwd synchronize all passwords; 2) assign {K5KEY} to the userPassword and use kpasswd to change a password.
If I understood correctly, the second method makes the passwords identical by construction while the first allow passwords to desynchronize if changed without ldappasswd.
Best regards, Thierry