Arnar Gunnarsson wrote:
> I'm using the 389 DS to authenticate users agains all sorts of services
> (HTTP/IMAP/OpenVPN/etc) using the userPassword attribute.
>
> Now, I've recently installed a kerberos server for secure authentication
> and configured the 389 DS against the kerberos server, and am able to
> authenticate to the 389 DS using GSSAPI and perform searches. All is
> well.
>
> But here's my dilemma:
>
> Let's say the password in the LDAP userPassword attribute is ?password1?
> and I change the kerberos password to ?password2?, I now have two
> different passwords.
>
> I've seen references on some OpenLDAP related mailing lists that you can
> put {KERBEROS}username at REALM in the userPassword attribute as a way of
> saying: ?I don't have the password on file, but hang on ? I'll just ask
> the kerberos server to check if the supplied password is correct?. Does
> 389 DS support something like this?
>
Yes. It's called PAM passthrough. It passes the authentication request
to PAM rather than directly to kerberos.
http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
> Thanks.
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
