Howard Chu wrote:
MIT is widely supported across a variety of operating systems, being the default Kerberos implementation on many of them. It has a lot of vendor support. Although the LDAP features of MIT Kerberos are relatively new, Red Hat has a lot of resources dedicated to ensuring they work well, since this is an important part of the freeIPA project.Date: Fri, 13 Jun 2008 11:48:50 -0700 From: Scott Grizzard <scott@xxxxxxxxxxxxxxxxx>With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the contrib directory) to sync heimdal keys, openldap passwords (it actually points the openldap password to the heimdal key), and sambaLA and sambaNT hashes. Then, if you configure your client services to change passwords using ldappasswd, you can avoid the long chain of custom scripts to keep everything in sync.Right. (I figure you weren't explaining that to me, since I wrote all that code.)If there is something similar for MIT Kerberos and FDS, I would be sold in microsecond.That'd probably be a premature move. The MIT code is far less stable than Heimdal. Their library has a long history of thread safety issues, security flaws, and crashes in threaded servers. The MIT folks may be ok on the conceptual side, but when it comes to practical implementations they fumble the details more often than not. There are a lot of reasons both OpenLDAP and Samba support Heimdal.
Doesn't Samba 4 make this problem moot though?As far as I know Samba 4 handles password synchronization from the SMB side, but you still want to have synchronization for ldappasswd and such.
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
