Arnar Gunnarsson wrote:
> I'm using the 389 DS to authenticate users agains all sorts of services
> (HTTP/IMAP/OpenVPN/etc) using the userPassword attribute.
>
> Now, I've recently installed a kerberos server for secure authentication
> and configured the 389 DS against the kerberos server, and am able to
> authenticate to the 389 DS using GSSAPI and perform searches. All is
> well.
>
> But here's my dilemma:
>
> Let's say the password in the LDAP userPassword attribute is “password1”
> and I change the kerberos password to “password2”, I now have two
> different passwords.
>
> I've seen references on some OpenLDAP related mailing lists that you can
> put {KERBEROS}username@REALM in the userPassword attribute as a way of
> saying: “I don't have the password on file, but hang on – I'll just ask
> the kerberos server to check if the supplied password is correct”. Does
> 389 DS support something like this?
>
Yes. It's called PAM passthrough. It passes the authentication request
to PAM rather than directly to kerberos.
http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
> Thanks.
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
