[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal to LDAP integration

On Jun 4, 2007, at 11:38 AM, Thomas Sant Ana wrote:

> On 6/4/07, Henry B. Hotz <hotz@jpl.nasa.gov> wrote: Two ways (other  
> than using an LDAP back-end for Heimdal):
> 1) If (really big if, since I don't know) there is a password hash
> used by LDAP that matches the hash used by some one of the Kerberos
> enctypes then that password hash could be exported from LDAP and
> imported into Heimdal.  Two specific enctypes to check would be the
> RC4 one, and the single-des ones, because they're common between AD
> and Kerberos.  The XAD product had a process for importing those
> enctypes from AD into their variant of Heimdal, and Samba 4 may as  
> well.
> From what I know the LDAP can use: crypt or SHA-1. I'm trying to  
> figure out if they are storing in clear text. But I believe none of  
> these will work with kerberos.

Well, clear text would work.  ;-)

> 2) You can (and we did) write a plug-in for your LDAP server that
> will check a password from a simple bind against Kerberos.  I gather
> this is in the category of what you're not allowed to do.
> That's to get the LDAP to check binding against Kerberos, correct?  
> That's not what we need.

Check.  It makes Kerberos instead of LDAP the primary password store.

> Thanks,

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu