On 21/07/11 00:39 +0300, Nick Milas wrote:
Such a setup is meant to continue to allow the standard PLAIN auth over TLS/SSL (directly by LDAP) in some applications and provide Kerberos authentication in others, based on the same user/password database (stored and maintained in LDAP). [I know that in many environments, userPassword and krbPrincipalKey are deliberately different.]
Is there a way to automatically populate (either internally, via LDAP configuration, or externally, by running - for example - an external script) the values of krbPrincipalName and krbPrincipalKey attributes, so that these values can be produced by the values of the currently used attributes (uid, userPassword, including possibly others.)? This would allow initial creation of values for the above attributes using the same password value.
See:
contrib/slapd-modules/smbk5pwd/
within the source.