ldap-backend with kerberos
Julian Thomé
We want to integrate Kerberos with our existing
User-Authentication-System using PAM-LDAP thus ... we want to use ldap
as a backend for kerberos.
That means that user data like password, username, uid etc. ist stored
in the LDAP-DB and we want kerberos to user this data.
Is this possible in this way ?
Thank you very much
Julian Thome
___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
Greg Hudson
> Hello mailing list,
>
> We want to integrate Kerberos with our existing
> User-Authentication-System using PAM-LDAP thus ... we want to use ldap
> as a backend for kerberos.
> That means that user data like password, username, uid etc. ist stored
> in the LDAP-DB and we want kerberos to user this data.
> Is this possible in this way ?
Yes, this is possible in krb5 1.6 and later. There are instructions in
the admin guide. You may need a copy of the source tree to get
kerberos.schema from.
Setup can be a little tricky to get right, depending on how familiar you
are with your OpenLDAP setup.
Julian Thomé
is it possible to compile the smbk5pwd-module, that it can be used with
MIT kerberos so that we can sync passwords between ldap and kerberos ?
It seems that this module with this configuration only works with
heimdal-kerberos.
Or are there any alternatives ?
Thank you !!
___________________________________________________________
Der fr�he Vogel f�ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de
Michael Ströder
> is it possible to compile the smbk5pwd-module, that it can be used with
> MIT kerberos so that we can sync passwords between ldap and kerberos ?
> It seems that this module with this configuration only works with
> heimdal-kerberos.
OpenLDAP's slapo-smbk5pwd only works with heimdal since currently heimdal's
and MIT's LDAP backends use different LDAP schema.
Ciao, Michael.
Julian Thomé
Now we want new users to be automatically available as kerberos principals.
We want to create our user-accounts directly in LDAP. For each user
created in the ldap we need a kerberos principal with the same password
of his unix-account.
For authentification kerberos should be used.
Is it possible (with the smbk5pwd-Module), to give newly created
ldap-entries (posixAccounts) a kerberos-password automatically ??
Thanks !!
Bye Julian
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Michael Ströder
>
> Now we want new users to be automatically available as kerberos principals.
> We want to create our user-accounts directly in LDAP. For each user
> created in the ldap we need a kerberos principal with the same password
> of his unix-account.
Yes, I understand that quite well.
> For authentification kerberos should be used.
> Is it possible (with the smbk5pwd-Module), to give newly created
> ldap-entries (posixAccounts) a kerberos-password automatically ??
As already said:
> Michael Ströder wrote:
>> OpenLDAP's slapo-smbk5pwd only works with heimdal since currently
>> heimdal's and MIT's LDAP backends use different LDAP schema.
Again: Yes, it is possible with heimdal as KDC. But not with MIT Kerberos.
slapo-smbk5pwd intercepts and handles the Password Modify extended operation
request. So you have to use that instead of simple modify request when setting
the password.
Ciao, Michael.