Creating a Kerberos user principal using LDAP
Michael Ströder
michael at stroeder.com
Fri Mar 6 07:44:30 EST 2009
Dax Kelson wrote:
> If either tools has not been created, there is code from the FreeIPA
> project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that
> fetches the master key and properly create the ASN.1 encoded key. That
> code could be used as a starting point or inspiration.
Security wise catching the modify password extended operation at the
LDAP server's side is IMHO the right thing to do. FreeIPA does that for
Fedora Directory Server as backend for a MIT KDC. The overlay smbk5pwd
does it for OpenLDAP as backend for heimdal KDC.
Ciao, Michael.
More information about the Kerberos
mailing list