With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the
contrib directory) to sync heimdal keys, openldap passwords (it actually
points the openldap password to the heimdal key), and sambaLA and
sambaNT hashes. Then, if you configure your client services to change
passwords using ldappasswd, you can avoid the long chain of custom
scripts to keep everything in sync.
If there is something similar for MIT Kerberos and FDS, I would be sold
in microsecond.
Doesn't Samba 4 make this problem moot though?
- Scott
Howard Chu wrote:
Date: Thu, 12 Jun 2008 21:15:49 +0200
From: Jan Frode Myklebust<janfrode@xxxxxxxxx>
I have fds set up for user management, and have kerberos set
up for authentication, but am a bit uncertain if I'm now finished,
or if fds+kerberos are supposed to be better integrated.
Is the normal procedure for managing users:
- add user info to the directory (ldapadd)
- create user principal (addprinc username)
Or can the creation of user principal be automatically created
from within fds when we create users there ?
If you're using Heimdal's KDC there is a much less clumsy solution -
just configure your KDC to store its information in LDAP. Then you can
include the KDC-specific attributes in your lddapadd requests, and
manage both sets of users solely through LDAP. This works very well
with OpenLDAP; I think it should also work with FDS 1.1 now that
they've integrated ldapi:// support (but haven't tried it myself). You
can then also configure OpenLDAP to automatically synchronize password
changes between LDAP and Kerberos (since all the information is in the
LDAP entry).
I believe recent versions of MIT Kerberos also offer this possibility,
but I haven't heard of any success stories with it so far.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
