I'm using the 389 DS to authenticate users agains all sorts of services
(HTTP/IMAP/OpenVPN/etc) using the userPassword attribute.
Now, I've recently installed a kerberos server for secure authentication
and configured the 389 DS against the kerberos server, and am able to
authenticate to the 389 DS using GSSAPI and perform searches. All is
well.
But here's my dilemma:
Let's say the password in the LDAP userPassword attribute is “password1”
and I change the kerberos password to “password2”, I now have two
different passwords.
I've seen references on some OpenLDAP related mailing lists that you can
put {KERBEROS}username@REALM in the userPassword attribute as a way of
saying: “I don't have the password on file, but hang on – I'll just ask
the kerberos server to check if the supplied password is correct”. Does
389 DS support something like this?
Thanks.
--
Arnar 'Addi' Gunnarsson | System Administrator
http://addi.org/GPG-KEY.asc | RHCE · MCSA
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
