Re: How to synchronize Kerberos and SASL passwords?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dieter Kluenter wrote:
Patrick Ben Koetter <p@xxxxxxxxxxxxxxxx> writes:

* Sebastian Hagedorn <Hagedorn@xxxxxxxxxxxx>:
Hi Gary,

--On 28. November 2007 19:40:22 -0600 Gary Mills <mills@xxxxxxxxxxxxxxx> wrote:

We have a central database that contains Unix, NTLM, and SASL
passwords, permitting single-password signons for Unix and Windows
desktops, and for Cyrus IMAP.  I'd like to add Kerberos to this mix,
but only for IMAP authentications initially.  This would permit
single-signon from Unix IMAP clients like mutt and pine, and
especially from a webmail application using pubcookie for
authentication.  I'd like Kerberos to use the same passwords, rather
than supporting another password database.  Is anybody doing this?  Is
it even possible?
I don't think so, but I could be wrong.
I've heard (!) that if the central database is LDAP one can use an OpenLDAP
overlay that syncronizes passwords in several services and IIRC Kerberos was
also mentioned. See <http://www.symas.com/introtooverlays.shtml> and look for
"smbk5pwd".

This overlay is only synchronising smb and krb5 passwords if these are
helt in the directory, for krb5 this can only be achieved with heimdal
krb5.

Gary,

In addition to the smbk5pwd, you may also want to check out nss_ldap:

http://www.padl.com/OSS/nss_ldap.html

and if using PAM, pam_ldap:

http://www.padl.com/OSS/pam_ldap.html

and also the ldapdb SASL auxprop plugin.

nss_ldap will allow you to store additional /etc/passwd, /etc/group and /etc/shadow entries into LDAP.

SASL an be configured to use ldapdb to retreive and store passwords in LDAP.

Samba and Heimdal (as mentioned above) can be configured to store their users and principals into the same LDAP store, and the smbk5pwd overlay will update the samba and kerberos entries when the userPassword is changed, via an LDAP password extended operation.

Passwords can be changed via the ldappasswd command, or pam_ldap can be configured to perform the password extended operation each time a 'passwd' is run to change passwords.

- Dan

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux