Re: why heimdal over MIT?

[Balazs GAL <balsa@rit.bme.hu>]

2003-03-17, h keltezéssel Luke Howard ezt írta:
> 
> >Bad point: Policies (pasword lifetime, password rules etc.) are
> >incompletely or weirdly implemented but nothing that can be cured by
> >some C coding.
> 
> Heimdal does support dynamic loading of password quality plugins. See
> lib/kadm5/password_quality.c.
> 
> We use such a plugin not only to test password quality but to
> synchronize Kerberos keys with an LDAP directory.

I wrote a plugin also, to synchronize Kerberos keys with arbitrary
programs with libexpect.

I yust uploaded it to
http://sourceforge.net/projects/pam-krb5/

cvs at
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam-krb5/heimdal-pwexport/

sample script for smbpasswd:

# heimdal pwexport script for smbpasswd
# List of the presetted variables:
# macros:
#set PWEXP_SUCCES "0"
#set PWEXP_USER_UNKNOWN "10"
#set PWEXP_SYSTEM_ERR "4"
# user data:
#set princ_name "balsa"
#set princ_password "secret"
#set princ_instance ""
#set princ_realm "BALSA'S.REALM"

# don't forget this line
set timeout 10

if {$princ_instance == "" && $princ_realm == "YOUR.REALM"} {
    spawn -noecho /usr/bin/smbpasswd $princ_name
    expect "New SMB password:"
    send "$princ_password\r"
    expect "Retype new SMB password:"
    send "$princ_password\r"
    expect {
        "Password changed for user $princ_name"
                {set return_value $PWEXP_SUCCES}
        "Failed to find entry for user $princ_name"
                {set return_value $PWEXP_USER_UNKNOWN}
        default {set return_value $PWEXP_SYSTEM_ERR}
    }
} else {
    set return_value $PWEXP_USER_UNKNOWN
}

balsa