Dan White wrote:
On 21/07/11 00:39 +0300, Nick Milas wrote:
Such a setup is meant to continue to allow the standard PLAIN auth over TLS/SSL (directly by LDAP) in some applications and provide Kerberos authentication in others, based on the same user/password database (stored and maintained in LDAP). [I know that in many environments, userPassword and krbPrincipalKey are deliberately different.]
Is there a way to automatically populate (either internally, via LDAP configuration, or externally, by running - for example - an external script) the values of krbPrincipalName and krbPrincipalKey attributes, so that these values can be produced by the values of the currently used attributes (uid, userPassword, including possibly others.)? This would allow initial creation of values for the above attributes using the same password value.
See:
contrib/slapd-modules/smbk5pwd/
Note that this overlay only works when using heimdal software for the KDC which uses a different LDAP schema.
Since the orginal poster mentioned attributes krbPrincipalName and krbPrincipalKey he seems to use MIT Kerberos.
Ciao, Michael.