FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-19-2010, 07:08 AM
Arnar Gunnarsson
 
Default userPassword and {KERBEROS}username@REALM

I'm using the 389 DS to authenticate users agains all sorts of services
(HTTP/IMAP/OpenVPN/etc) using the userPassword attribute.

Now, I've recently installed a kerberos server for secure authentication
and configured the 389 DS against the kerberos server, and am able to
authenticate to the 389 DS using GSSAPI and perform searches. All is
well.

But here's my dilemma:

Let's say the password in the LDAP userPassword attribute is “password1”
and I change the kerberos password to “password2”, I now have two
different passwords.

I've seen references on some OpenLDAP related mailing lists that you can
put {KERBEROS}username@REALM in the userPassword attribute as a way of
saying: “I don't have the password on file, but hang on – I'll just ask
the kerberos server to check if the supplied password is correct”. Does
389 DS support something like this?

Thanks.
--
Arnar 'Addi' Gunnarsson | System Administrator
http://addi.org/GPG-KEY.asc | RHCE · MCSA

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-23-2010, 04:21 PM
Rich Megginson
 
Default userPassword and {KERBEROS}username@REALM

Arnar Gunnarsson wrote:
> I'm using the 389 DS to authenticate users agains all sorts of services
> (HTTP/IMAP/OpenVPN/etc) using the userPassword attribute.
>
> Now, I've recently installed a kerberos server for secure authentication
> and configured the 389 DS against the kerberos server, and am able to
> authenticate to the 389 DS using GSSAPI and perform searches. All is
> well.
>
> But here's my dilemma:
>
> Let's say the password in the LDAP userPassword attribute is “password1”
> and I change the kerberos password to “password2”, I now have two
> different passwords.
>
> I've seen references on some OpenLDAP related mailing lists that you can
> put {KERBEROS}username@REALM in the userPassword attribute as a way of
> saying: “I don't have the password on file, but hang on – I'll just ask
> the kerberos server to check if the supplied password is correct”. Does
> 389 DS support something like this?
>
Yes. It's called PAM passthrough. It passes the authentication request
to PAM rather than directly to kerberos.
http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
> Thanks.
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 07:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org