[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal to LDAP integration

To: "Thomas Sant Ana" <mailleux@gmail.com>
Subject: Re: Heimdal to LDAP integration
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 4 Jun 2007 12:01:53 -0700
Cc: heimdal-discuss@sics.se
In-Reply-To: <1bbce6440706041138u6da20694y100214a1914dc91c@mail.gmail.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <1bbce6440706040608h7607c091wdd1eb6bb13e49185@mail.gmail.com> <88D3A3FE-675A-4C36-AF47-38EA97618B63@jpl.nasa.gov> <1bbce6440706041138u6da20694y100214a1914dc91c@mail.gmail.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Jun 4, 2007, at 11:38 AM, Thomas Sant Ana wrote:

> On 6/4/07, Henry B. Hotz <hotz@jpl.nasa.gov> wrote: Two ways (other  
> than using an LDAP back-end for Heimdal):
>
> 1) If (really big if, since I don't know) there is a password hash
> used by LDAP that matches the hash used by some one of the Kerberos
> enctypes then that password hash could be exported from LDAP and
> imported into Heimdal.  Two specific enctypes to check would be the
> RC4 one, and the single-des ones, because they're common between AD
> and Kerberos.  The XAD product had a process for importing those
> enctypes from AD into their variant of Heimdal, and Samba 4 may as  
> well.
>
> From what I know the LDAP can use: crypt or SHA-1. I'm trying to  
> figure out if they are storing in clear text. But I believe none of  
> these will work with kerberos.

Well, clear text would work.  ;-)

> 2) You can (and we did) write a plug-in for your LDAP server that
> will check a password from a simple bind against Kerberos.  I gather
> this is in the category of what you're not allowed to do.
>
>
> That's to get the LDAP to check binding against Kerberos, correct?  
> That's not what we need.

Check.  It makes Kerberos instead of LDAP the primary password store.

> Thanks,

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Heimdal to LDAP integration
  - From: "Thomas Sant Ana" <mailleux@gmail.com>
- Re: Heimdal to LDAP integration
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Heimdal to LDAP integration
  - From: "Thomas Sant Ana" <mailleux@gmail.com>

Prev by Date: Re: Heimdal to LDAP integration
Next by Date: Re: Heimdal to LDAP integration
Prev by thread: Re: Heimdal to LDAP integration
Next by thread: bswap16{32} problem
Index(es):
- Date
- Thread