On 14-02-13 03:18 PM, Abdelkader Chelouah wrote:
Actually, that's the point, my kerberos data and the userPassword are not in separate entries, so the locking issue.
If it isn't possible for you to change that, then I don't think you can use smbkrb5pwd. smbk5pwd does allow this structure, but only works with Heimdal.
As far as concerned SASL passthrough, we are migrating users from OpenLDAP to KDC+OpenLDAP Backend. As we cannot derive a user password from the hash, first we have to force users to change their password (for the synchronization with the KDC password) and then to use SASL passthrough.
Thanks. I think I understand now. I have no good suggestions, only several poor ones. For example, you could keep the KDC database outside of LDAP during your transition period and then migrate it to LDAP later. Or you could use a custom program or script, instead of ldappasswd, that would authenticate against LDAP and perform an administrative Kerberos password change without the old password. I'm sure neither of those are the answer you wanted.