Password Ldap syncing

Simo Sorce simo at
Thu Mar 21 09:39:42 EDT 2013

On Thu, 2013-03-21 at 10:58 +0100, Jean-Christophe Gay wrote:
> Le Wed, 20 Mar 2013 15:02:15 +0100,
> sergio.conrad at a écrit :
> > Hello,
> > I have a problem with password encryption
> > There is at my work have an already in production ldap directory. The
> > userPassword is encrypted in {SSHA}. I am not planning to introduce
> > some modifications into this directory, but need the password to
> > create Kerberos Principal.
> > 
> > Is there a possibility to achieve this goal ?
> We had the same confuguration as yours and we didn't want to hack every
> password in the LDAP.
> What we did was simply change our "change password" application so it
> can intercept the user's password, then create the kerberos principal
> associated with this user, and then update the LDAP password.
> With this set we simply asked every one to change his password, this
> time allowing users to set their old password.

In the FreeIPA project we did it with a 'migration' option where we
intercept the bind operation with an SLAPI plugin.

The user only needs to login one with his password. If the bind is
successful we take the saved password and generate kerberos keys on the
fly and store them in the directory.

This means the mechanism needs to be able to generate the keys and store
them, but it is not a complex mechanism and avoid the dreadful need for
users to change their passwords.


Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list