Extract users kerberos passwords

hyc hyc at highlandsun.com
Thu Jun 16 04:05:00 EDT 2005


MIT Kerberos has gone through a half-dozen different db dump formats,
so precise instructions on how to extract the fields depends on the
exact software version you have and the options you specify to the
kdb5_dump command.

Meanwhile, by default OpenLDAP does not have any module that recognizes
what to do with a Kerberos key in the userPassword attribute. So once
you figure out what to do to get the key out of the KDC, there's still
a problem of what to do with it next.

There is an indirect route that should work - in the OpenLDAP 2.3
contrib directory there is a module that adds support for Samba
passwords and Heimdal Kerberos keys (see
contrib/slapd-modules/smbk5pwd). If you use the Heimdal Kerberos tools
to import the MIT dump into Heimdal format, then you should be able to
use the result with OpenLDAP. But there are a lot of steps to get there
(starting with obtaining and installing the Heimdal source code).

If you're interested in getting this to work, I think you should go all
the way - you can run the Heimdal KDC directly on top of OpenLDAP,
instead of using a flat file-based kerberos database. In this case, all
of your Kerberos account information is stored as attributes of regular
OpenLDAP account entries. Once you have the database loaded into
OpenLDAP you can do all your account administration from there and you
never need to run the Kerberos account management utilities any more.
If building all of the packages seems like too much effort for you, my
company (Symas Corp., http://www.symas.com) provides prepackaged
binaries of all of the necessary software, ready to install. (OpenLDAP,
Heimdal, OpenSSL, Cyrus SASL, BerkeleyDB, etc.)



More information about the Kerberos mailing list