LDAP-Kerberos sync passwords

Michael Ströder michael at stroeder.com
Tue Mar 31 06:12:10 EDT 2009

Adriana Gologaneanu wrote:
> Debian Etch
> - slapd: 2.3.30-5+etch2
> - krb5-kdc: 1.4.4-7etch6
> I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data
> to be stored in an LDAP server.
> Let me test it and I will give you a feedback.

It won't help since the credentials are stored in different attributes.

You need something which syncs the credential attributes. This is e.g.
possible with OpenLDAP/Heimdal and a server-side overlay (server-side
plugin) called smbk5pwd which intercepts the LDAP Password Modify
Extended Operation requests and then sets all relevant attributes. The
FreeIPA folks have implemented something similar for MIT KDC with Fedora
Directory Server. I don't know a solution for OpenLDAP / MIT KDC though.

Also note that the LDAP schema for MIT KDC and heimdal KDC differ.

Ciao, Michael.

More information about the Kerberos mailing list