decrypting the user password
Asmaa Ahmed
asabatgirl at hotmail.com
Wed Feb 13 06:36:41 EST 2013
Hello,
Thanks for this, but still can't solve my problem!I have followed pretty much the instructions in the following to get ldap/kerberos to work togetherhttp://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php#ausr
I can successfully now create kerberos ticket and check, but I don't understand why the binding doesn't work any more as it was before integrating Kerberos!Here are the errors I get in the ldap/kerb server provider while trying to login using "aahmed" user
Feb 13 21:16:53 ldap slapd[12064]: conn=1004 fd=24 ACCEPT from IP=203.28.247.193:50420 (IP=0.0.0.0:389)Feb 13 21:16:53 ldap slapd[12064]: conn=1004 op=0 BIND dn="" method=128Feb 13 21:16:53 ldap slapd[12064]: conn=1004 op=0 RESULT tag=97 err=0 text=Feb 13 21:16:53 ldap slapd[12064]: conn=1004 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=0 filter="(&(objectClass=*)(uid=aahmed))"Feb 13 21:16:53 ldap slapd[12064]: conn=1004 op=1 SRCH attr=uid cn mail modifyTimestampFeb 13 21:16:53 ldap slapd[12064]: conn=1004 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=Feb 13 21:16:53 ldap slapd[12064]: conn=1004 op=2 UNBINDFeb 13 21:16:53 ldap slapd[12064]: conn=1004 fd=24 closed
Any idea how can I solve this?
Thanks.
> Date: Wed, 13 Feb 2013 08:05:07 +0100
> From: spappalardo at renegadetech.com
> To: asabatgirl at hotmail.com
> CC: kerberos at mit.edu
> Subject: Re: decrypting the user password
>
> Hello.
>
> On 02/13/2013 05:53 AM, Asmaa Ahmed wrote:
> > I am having kerberos MIT integrated to LDAP as a backend which is
> > good so far.The problem that I have some applications doesn't support
> > Kerberos to restore the user credentials.
>
> Do they support authentication with LDAP? If so, you can configure your
> LDAP server to use SASL to check the user passwords against Kerberos.
> See this article:
> http://thomas.dereyck.eu/wiki/Setting%20up%20an%20LDAP%20server#Enabling_pass-through_authentication_to_Kerberos
>
> > I wonder if I can decrypt
> > the password from Kerberos server manually to have it in a plaintext,
>
> As Chris said, that's a big security risk and completely defeats
> Kerberos' purpose. If the applications don't allow any external
> authentication, you might be able to find a plug-in that sits between
> the application and the DB that intercepts the auth requests and
> services them with SASL or Kerberos directly.
>
> Sincerely,
> Sean M. Pappalardo
> Sr. Networks Engineer
> Renegade Technologies
> spappalardo at renegadetech.com
> Office: (630) 631-6188
> http://www.renegadetech.com
>
More information about the Kerberos
mailing list