[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal to LDAP integration

>>>>> "Love" == Love Hörnquist <Åstrand <lha@kth.se>> writes:

    Love> Unless you have the cleartext password of the user in the
    Love> you can never do this.  With LDAP is common to have md5 hash
    Love> in the directory and not the password.

    Love> If you have a cleartext password its possible to do this,
    Love> but you have to modify the hdb backend code fetch the
    Love> password from ldap and convert the password to kerberos key
    Love> (and prefereably cache the result since s2k operations are
    Love> expensive in terms of CPU usage).

You could have a service, that you authenticate against using your
LDAP password, that will automatically update your Kerberos
password. Maybe not what you want...

In general, you can't authenticate a Kerberos server against a LDAP
server, without ugly hacks like allowing the Kerberos server access
clear text passwords from the server (which is probably not even an
option for you).

This is because the Kerberos server never receives the password from
the user, so it has nothing to use to authenticate against the LDAP
Brian May <bam@snoopy.apana.org.au>