[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch to prevent krb5Key attrs in Samba LDAP entries

On Thu, 19 May 2005 03:37:35 -0700
Howard Chu <hyc@highlandsun.com> wrote:

> Agreed. Not to mention, there are also still sites that perform LDAP 
> Simple Binds and other SASL secret-based mechs. Using the smbk5pwd 
> overlay ensures that all of these mechs work in a unified fashion. If 
> you only patch Heimdal and Samba to play with each other, you still 
> haven't solved the unification problem for SASL and low-function LDAP 
> clients.

Why not just use the

	userPassword: {SASL}user

directive? That's what I'm doing to unify everything.

I would be happier with the overlay if there were provisions to push
all password policies, such as history and strength checking, down into
it. Right now, the lack of a history for Heimdal is a bit of a sticking
point for me, so I may only allow password updates through smbpasswd. 

How possible is it to add more password policy provisions to smbk5pwd?
Does that module get the plaintext password?

> > I think the last point is the key issue here.  A patch that I think
> > would make more sense is one that uses the presence of an existing
> > krb5key attribute to determine if it should be updated.
> Again, agreed.

I'm assuming you'd only want this if you were not using the overlay?

By the way, I'm obviously much less familiar with all the inner workings
of the packages in question than most in this discussion, so thanks for
bearing with me. I'm extremely excited about being able to have a 
unified authentication database that isn't AD, so if I get too excited
and start talking about issues I don't really understand feel free to
let me know :->

| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh@cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |