LDAP-Kerberos sync passwords

Simo Sorce ssorce at redhat.com
Tue Mar 31 10:37:30 EDT 2009

On Tue, 2009-03-31 at 12:12 +0200, Michael Ströder wrote:
> Adriana Gologaneanu wrote:
> > Debian Etch
> > - slapd: 2.3.30-5+etch2
> > - krb5-kdc: 1.4.4-7etch6
> > 
> > I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data
> > to be stored in an LDAP server.
> > Let me test it and I will give you a feedback.
> It won't help since the credentials are stored in different attributes.
> You need something which syncs the credential attributes. This is e.g.
> possible with OpenLDAP/Heimdal and a server-side overlay (server-side
> plugin) called smbk5pwd which intercepts the LDAP Password Modify
> Extended Operation requests and then sets all relevant attributes. The
> FreeIPA folks have implemented something similar for MIT KDC with Fedora
> Directory Server. I don't know a solution for OpenLDAP / MIT KDC though.
> Also note that the LDAP schema for MIT KDC and heimdal KDC differ.

The FreeIPA plugin has been written using the SLAPI interface. I think
OpenLDAP still support that interface too, so maybe it is not too
difficult to port the plugin to OpenLDAP.


Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list