that interop mess: ldap, samba, kerberos
Turbo Fredriksson
turbo at bayour.com
Mon Nov 21 02:20:34 EST 2005
Quoting "rektide" <rektide at gmail.com>:
> Is it still mainly all about having {KERBEROS}name at REALM.COM in
> userPassword?
Nowadays it's {SASL}, not {KERBEROS}.
> I noticed Turbo's guide never gives LDAP a keytab entry. His setup
> didnt require LDAP to do any writing to kerberos, so it was
> unnecessary. Is this still the case?
Since I've separated AUTHENTICATION and AUTHORIZATION, there's no need
for an LDAP/slapd keytab...
Passwords is in Kerberos (AUTHENTICATION) and information is in LDAP
(AUTHORIZATION). I didn't want to put the passwords in the LDAP backend,
because that would create a circular dependency which I didn't want (I
have to many of those anyway :).
> Of note, I do plan on running the KX509 / KCA setup off this at some
> point in the not too distant future. I'm running Heimdal and OpenLDAP
> 2.3.
Only Heimdal can have it's password database in LDAP. I'm still running
MIT Kerberos V and have no intention to change. The MIT version works
fine for me.
More information about the Kerberos
mailing list