On 6/4/07, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
Two ways (other than using an LDAP back-end for Heimdal):
1) If (really big if, since I don't know) there is a password hash
used by LDAP that matches the hash used by some one of the Kerberos
enctypes then that password hash could be exported from LDAP and
imported into Heimdal. Two specific enctypes to check would be the
RC4 one, and the single-des ones, because they're common between AD
and Kerberos. The XAD product had a process for importing those
enctypes from AD into their variant of Heimdal, and Samba 4 may as well.
From what I know the LDAP can use: crypt or SHA-1. I'm trying to figure out if they are storing in clear text. But I believe none of these will work with kerberos.
2) You can (and we did) write a plug-in for your LDAP server that
will check a password from a simple bind against Kerberos. I gather
this is in the category of what you're not allowed to do.
That's to get the LDAP to check binding against Kerberos, correct? That's not what we need.