Key history with LDAP backend?

Andreas Ntaflos daff at pseudoterminal.org
Tue Nov 4 12:54:10 EST 2014


Hi,

I see that the "-history" option for "add_policy" (in kadmin) is not
supported when using the LDAP backend for Kerberos [1].

Is there *any* other way to ensure a user doesn't use one of his
previous four keys when changing passwords and the Kerberos database is
in LDAP? I ask because this is apparently a requirement in the PCI DSS
and Card Production standard (section 7.2.2 in the latter), which will
become relevant for us in a few months for a new site we are building.

We normally use the LDAP backend for Kerberos at our existing sites
which works great and allows us, among other things, to leverage
OpenLDAP's mirror-mode replication for high availability instead of
having to run kprop/kpropd via Cron.

I'd like to use LDAP as a Kerberos database at the new site but this
requirement and the missing history support seem like a show stopper.

Any ideas or advice?

Thanks,

Andreas

[1]
http://web.mit.edu/kerberos/krb5-devel/doc/admin/database.html#add-policy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20141104/5805e295/attachment.bin


More information about the Kerberos mailing list