Re: ldap backend and password history

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: ldap backend and password history

Jeff D'Angelo
On Mon Oct 21 14:14:34 EDT 2013, Mark Pröhl <[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 31.05.2013 18:30, Greg Hudson wrote:
> > On 05/31/2013 09:42 AM, Robert Viduya wrote:
> >> We're interested in using the ldap backend in our kerberos
> >> servers, but we really can't do without password history.  I'm
> >> curious why the feature was left out and if there are any plans
> >> to implement it?
> >
> > The LDAP KDB module was contributed to us by Novell, who
> > originally wrote it to work with their eDirectory product.  I
> > believe in that context the KDB is managed by their own tools and
> > not by kadmin, so things like password history support would be
> > inoperable.  I'm not sure whether the kadmin support was
> > retrofitted in by Novell or by MIT (it happened before I joined the
> > team), but extending the schema to support password history was
> > probably considered too difficult at the time.
> >
> > We don't have specific plans to add password history support to the
> > LDAP module, but it would be nice to have.
> >
>
> Hi,
>
> I think this would be very nice to have;-).  My understanding is that
> some new developments in MIT Kerberos (e.g. principal aliases) have
> been implemented only in the ldap backend. So users of MIT Kerberos
> that need those new features are driven to use the ldap backend. On
> the other hand, password history is often a required feature in
> company's password policies.
>
> Are there really no plans to implement password history in kldap?
> Would patches be accepted?
>
> Does anybody know if there are any 3rd-party modules that can be used to
> have a working password history in MIT Kerberos with ldap backend? (I
> already checked krb5-strength)
>
> Regards,
>
> Mark
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iF4EAREIAAYFAlJlbwoACgkQcnTijk4OXrLYKAD/X3fsA9e3LN9kBT9dsyCPuL0H
> xbVUlhhQyoD+XSou9EgBAIanKn3gArhXnSg4JYXzzKrh3/3XCsaayQtqBli4Qc/a
> =MuzL
> -----END PGP SIGNATURE-----

+1 on would like to see this.

Anyone make any progress towards this?

I'm going to guess the easier route would be to map the key history
parts of the adb structure into the appropriate LDAP attributes just as
the policy string maps to the DN reference of the policy object in LDAP.

--
Jeff

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: ldap backend and password history

Benjamin Kaduk-2
On Tue, 21 Oct 2014, Jeff D'Angelo wrote:

> Anyone make any progress towards this?

This is https://github.com/krb5/krb5/pull/132 .
We are waiting for an update from the submitter.

-Ben
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: ldap backend and password history

Tomas Kuthan
On 10/22/14 01:24, Benjamin Kaduk wrote:
> On Tue, 21 Oct 2014, Jeff D'Angelo wrote:
>
>> Anyone make any progress towards this?
>
> This is https://github.com/krb5/krb5/pull/132 .
> We are waiting for an update from the submitter.

Yeah, I am sorry for the delay. I got diverted to other project.
I hope to get back to it in November.

Tomas

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev