Password synching

Booker Bense bbense at slac.stanford.edu
Thu Mar 11 17:02:16 EST 2004


On Thu, 11 Mar 2004, Digant Kasundra wrote:

> Is anyone aware of any product that can sync passwords between an MIT
> Kerberos KDC and MS Active Directory?
>
> Is it even possible to "hook into" a password change event in Kerberos?  Can
> that trigger an event or something of that sort?  I know that on the Windows
> side, you would add a password filter that would be called during the
> password change call and it would be used to make the change in external
> systems like Kerberos.
>


_ It's pretty trivial to do if you're up to reading the MIT
kadmind src code. I've done it for K4 syncing to both MIT K5 and
AD via some pretty awful hacks. I never really packaged up the
code to be useable for other people and I no longer work at
the part of Stanford that is responsible for that code. It
may be lurking about in Stanford's public AFS space somewhere,
the package is named aeakos. Everything but the library for
queueing requests is an awful hack.

_ In Hiemdal it's even easier since it has a loadable module
interface for password quality checking and you can just stick
your awful hacks in there.

_ Booker C. Bense


More information about the Kerberos mailing list