[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal to LDAP integration

To: heimdal-discuss@sics.se
Subject: Re: Heimdal to LDAP integration
From: Brian May <bam@snoopy.apana.org.au>
Date: Tue, 05 Jun 2007 14:09:06 +1000
In-Reply-To: <E1225369-C449-4132-8109-12FE4463BA10@kth.se> (LoveHörnquist'smessage of "Mon, 4 Jun 2007 13:52:07 -0400")
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <1bbce6440706040608h7607c091wdd1eb6bb13e49185@mail.gmail.com><E1225369-C449-4132-8109-12FE4463BA10@kth.se>
Reply-To: heimdal-discuss@sics.se, Brian May <bam@snoopy.apana.org.au>
User-Agent: Gnus/5.110006 (No Gnus v0.6) XEmacs/21.4.19 (linux)

>>>>> "Love" == Love Hörnquist <Åstrand <lha@kth.se>> writes:

    Love> Unless you have the cleartext password of the user in the
    Love> you can never do this.  With LDAP is common to have md5 hash
    Love> in the directory and not the password.

    Love> If you have a cleartext password its possible to do this,
    Love> but you have to modify the hdb backend code fetch the
    Love> password from ldap and convert the password to kerberos key
    Love> (and prefereably cache the result since s2k operations are
    Love> expensive in terms of CPU usage).

You could have a service, that you authenticate against using your
LDAP password, that will automatically update your Kerberos
password. Maybe not what you want...

In general, you can't authenticate a Kerberos server against a LDAP
server, without ugly hacks like allowing the Kerberos server access
clear text passwords from the server (which is probably not even an
option for you).

This is because the Kerberos server never receives the password from
the user, so it has nothing to use to authenticate against the LDAP
server.
-- 
Brian May <bam@snoopy.apana.org.au>

References:
- Heimdal to LDAP integration
  - From: "Thomas Sant Ana" <mailleux@gmail.com>
- Re: Heimdal to LDAP integration
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Heimdal to LDAP integration
Next by Date: Changing signature algorithm
Prev by thread: Re: Heimdal to LDAP integration
Next by thread: Re: Heimdal to LDAP integration
Index(es):
- Date
- Thread