Hello all,
I configured a KDC (MIT Kerberos 1.12.1) with an OpenLDAP (2.4.32) Backend. Everything is working fine. We want to migrate smoothly from LDAP password to KDC password. For that purpose, we plan to force user to change their password using ldappasswd command, intercept the password modification with smbkrb5pwd overlay and then change the userPassword attribute for SASL passthrough. I setup up the overlay smbkrb5pwd (last git version) to synchronized LDAP and Kerberos passwords as decribed on
https://github.com/opinsys/smbkrb5pwd
The module is loaded correctly. However, the "ldappasswd" command hangs now. This is apparently due to a locking issue. Is anyone succeeded to configure the overlay ? Is there any other way to synchronize LDAP et KDC passwords when OpenLDAP is used as a Backend ?
On 14-02-13 12:55 PM, Abdelkader Chelouah wrote:
The module is loaded correctly. However, the "ldappasswd" command hangs now. This is apparently due to a locking issue. Is anyone succeeded to configure the overlay ?
I'm using (slightly modified [1]) smbkrb5pwd in production and haven't encountered any such locking issue. Can you provide more details about your setup, and perhaps a debug log of such a hung request? I assume your userPassword attribute and Kerberos data are in separate entries as per the README.
[1] https://github.com/sd63/smbkrb5pwd/compare/opinsys:master...master
BTW, I don't understand your mention of SASL passthrough. The point of smbkrb5pwd is to synchronize the userPassword and Kerberos password. If you want to use SASL passthrough instead, then you should just change the Kerberos password directly, right?
Actually, that's the point, my kerberos data and the userPassword are not in separate entries, so the locking issue. As far as concerned SASL passthrough, we are migrating users from OpenLDAP to KDC+OpenLDAP Backend. As we cannot derive a user password from the hash, first we have to force users to change their password (for the synchronization with the KDC password) and then to use SASL passthrough.
On 13/02/2014 22:18, Ryan Tandy wrote:
On 14-02-13 12:55 PM, Abdelkader Chelouah wrote:
The module is loaded correctly. However, the "ldappasswd" command hangs now. This is apparently due to a locking issue. Is anyone succeeded to configure the overlay ?
I'm using (slightly modified [1]) smbkrb5pwd in production and haven't encountered any such locking issue. Can you provide more details about your setup, and perhaps a debug log of such a hung request? I assume your userPassword attribute and Kerberos data are in separate entries as per the README.
[1] https://github.com/sd63/smbkrb5pwd/compare/opinsys:master...master
BTW, I don't understand your mention of SASL passthrough. The point of smbkrb5pwd is to synchronize the userPassword and Kerberos password. If you want to use SASL passthrough instead, then you should just change the Kerberos password directly, right?
On 14-02-13 03:18 PM, Abdelkader Chelouah wrote:
Actually, that's the point, my kerberos data and the userPassword are not in separate entries, so the locking issue.
If it isn't possible for you to change that, then I don't think you can use smbkrb5pwd. smbk5pwd does allow this structure, but only works with Heimdal.
As far as concerned SASL passthrough, we are migrating users from OpenLDAP to KDC+OpenLDAP Backend. As we cannot derive a user password from the hash, first we have to force users to change their password (for the synchronization with the KDC password) and then to use SASL passthrough.
Thanks. I think I understand now. I have no good suggestions, only several poor ones. For example, you could keep the KDC database outside of LDAP during your transition period and then migrate it to LDAP later. Or you could use a custom program or script, instead of ldappasswd, that would authenticate against LDAP and perform an administrative Kerberos password change without the old password. I'm sure neither of those are the answer you wanted.
On 02/13/14 21:55 +0100, Abdelkader Chelouah wrote:
Hello all,
I configured a KDC (MIT Kerberos 1.12.1) with an OpenLDAP (2.4.32) Backend. Everything is working fine. We want to migrate smoothly from LDAP password to KDC password. For that purpose, we plan to force user to change their password using ldappasswd command, intercept the password modification with smbkrb5pwd overlay and then change the userPassword attribute for SASL passthrough. I setup up the overlay smbkrb5pwd (last git version) to synchronized LDAP and Kerberos passwords as decribed on
https://github.com/opinsys/smbkrb5pwd
The module is loaded correctly. However, the "ldappasswd" command hangs now. This is apparently due to a locking issue. Is anyone succeeded to configure the overlay ? Is there any other way to synchronize LDAP et KDC passwords when OpenLDAP is used as a Backend ?
You can use kpasswd. You'll need set userPassword to passthrough using some other mechanism, perhaps with a shell script that does both.
openldap-technical@openldap.org
-
Abdelkader Chelouah -
Dan White -
Ryan Tandy