Re: Using other than OpenLDAP

[Luke Howard <lukeh@PADL.COM>]

>I'm an absolute newbie to kerberos trying to see how to fit it into our
>network and existing authentication schemes.  Currently, LDAP represents
>the backend store for all passwords and users are authenticated against
>the LDAP server.  Maintenance of the LDAP user/password data is built into
>our account management software, and numerous not-easily-kerberizable
>applications will continue to depend on it.  The potential issue here is
>that the sever in question is the iPlanet server, not OpenLDAP.  The other
>issue is passwords which are already encrypted on the iPlanet server.

The Heimdal LDAP backend was designed specifically for OpenLDAP, because
it takes advantage of the LDAP domain socket "secure channel" which, at 
this point in time, only OpenLDAP supports. That doesn't mean it won't
work with another directory server, just that you won't here how to do
it from me :-)

>Can I use iPlanet?  Also, looking at the krb5-kdc.schema, I don't see an
>obvious place for user passwords.  I presume that the krb5PrincipalName
>attribute would hold the id of a user, but it's not obviously a DN, so I'm
>not sure how all the LDAP pieces even connect.

The krb5PrincipalName attribute is a Kerberos V principal name. This
identity needs to be maintained separately; you could use a SLAPI plugin
to generate a reasonable value for the default realm when a user is 
added to the directory, for example.

Keys are stored in the krb5Key attribute. The is independent of the 
userPassword attribute; the userPassword does not provide the appropriate
key material for Kerberos, although you could certainly write a SLAPI
plugin to keep userPassword synchronized with Kerberos.

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com