Password synching

Henry B. Hotz hotz at jpl.nasa.gov
Fri Mar 12 12:35:48 EST 2004


At 9:40 AM -0600 3/12/04, Digant Kasundra wrote:
>  > >Is anyone aware of any product that can sync passwords
>>  between an MIT
>>  >Kerberos KDC and MS Active Directory?
>>
>>  Alf Wachsmann at SLAC is doing this with Heimdal.
>>
>>  Personally I'd rather only have the passwords (keys actually) stored
>>  in one of the two, and I'd rather it wasn't the commercial product.
>>  Institutional requirements differ though.
>>  --
>>  The opinions expressed in this message are mine,
>>  not those of Caltech, JPL, NASA, or the US Government.
>>  Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>>
>
>I agree completely.  We want to move away from AD and over to Kerb.  But the
>password syncing was a compromise between us (the Unix guys) and Windows
>guys.  We plan to do it on a non-permanent basis as a way of (a) migrating
>passwords from Windows to Kerb by trapping password change events over the
>next 3 or 4 months and (b) continuing to allow non-Kerb (NTLM only) apps to
>still login with the same "one username/one password."
>
>If either of you can help me out, I'd be greatful.

For short-term help you need to talk to Alf.  In addition to the 
documented hook, which let's you check/veto passwords, you need a 
second one where you record acceptable changes.  Alf did a patch for 
the second and I believe he has working code to actually implement 
the synchronization.

I hope he doesn't mind my advertising what he's done.

For more on my own ideas see the "Kerberos Feature Request" thread I 
started on kerbdev and the Heimdal list about a month ago.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu


More information about the Kerberos mailing list