>There is a "ldap backend" for Heimdal, but it uses the non-standard ldapi interface (e.g. LDAP through a unix domain file based socket rather than a >TCP/IP socket). You would have to port that code to use an ldap or ldaps interface for use with FDS. That's not hard to change, but I would prefer to see someone add ldapi:// to FDS :-) >Otherwise, I'm not sure if GSSAPI supports a password change mechanism. If so, you could do this through FDS. GSS-API does not deal with acquiring initial credentials or changing passwords. In order to maintain password synchronization, you need to ensure that the set of Kerberos keys and directory user passwords is kept synchronized. In our XAD identity server, we have a SLAPI plugin that intercepts LDAP password change requests (either RFC 3062, NMAS, or LDAP updates of the userPassword/unicodePwd attributes) and generates a user's key set for Kerberos, Digest, etc. I believe Symas wrote a similar plugin that works with the Heimdal LDAP backend but I'm not sure whether it is generally available. -- Luke --
