Creating a Kerberos user principal using LDAP

Michael Ströder michael at
Fri Mar 6 07:44:30 EST 2009

Dax Kelson wrote:
> If either tools has not been created, there is code from the FreeIPA
> project, inside ipa_pwd_extop.c (see that
> fetches the master key and properly create the ASN.1 encoded key. That
> code could be used as a starting point or inspiration.

Security wise catching the modify password extended operation at the
LDAP server's side is IMHO the right thing to do. FreeIPA does that for
Fedora Directory Server as backend for a MIT KDC. The overlay smbk5pwd
does it for OpenLDAP as backend for heimdal KDC.

Ciao, Michael.

More information about the Kerberos mailing list