Tim Watts wrote:
Hi folks,
I hope this is a quick and easy one :)
I have slapd 2.4.23 working with passthrough to MIT kerberos via saslauthd. I use smbkrb5pwd (a hack on smbk5pwd) to pass password changes through to kerberos (creating or modifying the target principle as required)
I haven't seen smbkrb5pwd but, as the author of smbk5pwd, it sounds like the hack is inadequate. smbk5pwd provides the {K5KEY} password hash mechanism, so you can use the Kerberos password directly, and you don't need {SASL} at all.
To enable a particular user to bind to slapd with their kerberos password, I'm setting:
userPassword: {SASL}myuid@MY.KERBEROS.REALM.EXAMPLE.COM
This works *very nicely*. Except one thing...
Using passwd via pam_ldap or ldappasswd directly smashes userPassword: and replaces the value with the password hash. Both machanisms are doing EXOP password changes.
Is there any way to stop this happening when the mechanism in userPassword is {SASL} ?
Set password-hash to {SASL} in slapd.conf/slapd-config.
Or maybe there is another way to enable global SASL password passthroughs?
======
I'm in a transition phase. I need to import the slapcat output from the old LDAP server to my new one. At this point, all authentication should be done with the existing userPassword hash. Password changes should update this hash and create/modify principles on the kerberos server.
Set the password-hash to {SASL} and whatever other hash you want to use.
3 months later, I want to switch the auth mechanism on all accounts to passthrough to kerberos, at which point, ldappasswd should still work but via smbkrb5pwd updating kerberos.
Maybe my strategy is wrong, but that's the basic problem I need to solve.
Am I trying this the wrong way?
Cheers and thanks in advance for any ideas.
Tim