Kerberos and LDAP password sync question

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Kerberos and LDAP password sync question

Lucas Dutra
Hello guys! :)

So, about the password sync between MIT Kerberos and LDAP, i’ve been
reading and discovered the package smbk5pwd does this automatically, but
this one only support Heimdal Kerberos. Anyone know if there is any better
solution for the password sync? Or if exist some integration project going
on. I know that exist a package called smbkrb5pwd for the MIT Kerberos, but
it seems outdated, so i don't know if its ok to use now.

And just one more question, can i use a Heimdal KDC and a MIT Client
without a compatibility problem? Or vice-versa.

Thanks for the attention!
Lucas.

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Livre
de vírus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos and LDAP password sync question

Brennecke, Simon
Hi Lucas,


I use a rather complex setup using MIT Kerberos, FreeRadius and OpenLDAP.

Passwords are in LDAP. The KDC does not hold any user passwords and instead asks the Radius Server to verify passwords, which in turn goes through PAM and then to LDAP.


The setup requires you clients to support PKINIT/FAST, which I guess most clients do, but require additional setup.


Also you can do OTP using this setup - even switchable per user via LDAP.


If you have any questions regarding details, feel free to ask.


Regards

Simon
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos and LDAP password sync question

Greg Hudson
In reply to this post by Lucas Dutra
On 08/01/2017 03:14 AM, Lucas Dutra wrote:
> So, about the password sync between MIT Kerberos and LDAP, i’ve been
> reading and discovered the package smbk5pwd does this automatically, but
> this one only support Heimdal Kerberos. Anyone know if there is any better
> solution for the password sync?

There's krb5-sync, which works with MIT krb5 or Heimdal.  It's designed
to sync to Active Directory, so while it does sync passwords via LDAP,
I'm not sure it will work with just any LDAP server as the target.

https://www.eyrie.org/~eagle/software/krb5-sync/

> And just one more question, can i use a Heimdal KDC and a MIT Client
> without a compatibility problem? Or vice-versa.

For the standard Kerberos protocol and for password changes, yes.
Administrative operations (kadmin) do not use a standard protocol.  I
believe Heimdal implements limited admin protocol compatibility with MIT
krb5, but I'm not familiar with the details of that.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos and LDAP password sync question

Russ Allbery-2
Greg Hudson <[hidden email]> writes:

> There's krb5-sync, which works with MIT krb5 or Heimdal.  It's designed
> to sync to Active Directory, so while it does sync passwords via LDAP,
> I'm not sure it will work with just any LDAP server as the target.

> https://www.eyrie.org/~eagle/software/krb5-sync/

It doesn't use LDAP to store the password, only the account status.  It
uses the Kerberos password change protocol to store the password.  So that
won't be immediately helpful for a generic LDAP server.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...