[389-users] userPassword and {KERBEROS}username at REALM
Arnar Gunnarsson
addi at hugsmidjan.is
Sat Jun 19 07:08:47 UTC 2010
I'm using the 389 DS to authenticate users agains all sorts of services
(HTTP/IMAP/OpenVPN/etc) using the userPassword attribute.
Now, I've recently installed a kerberos server for secure authentication
and configured the 389 DS against the kerberos server, and am able to
authenticate to the 389 DS using GSSAPI and perform searches. All is
well.
But here's my dilemma:
Let's say the password in the LDAP userPassword attribute is “password1”
and I change the kerberos password to “password2”, I now have two
different passwords.
I've seen references on some OpenLDAP related mailing lists that you can
put {KERBEROS}username at REALM in the userPassword attribute as a way of
saying: “I don't have the password on file, but hang on – I'll just ask
the kerberos server to check if the supplied password is correct”. Does
389 DS support something like this?
Thanks.
--
Arnar 'Addi' Gunnarsson | System Administrator
http://addi.org/GPG-KEY.asc | RHCE · MCSA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100619/1d1044e2/attachment.sig>
More information about the 389-users
mailing list