Key history with LDAP backend?
Andreas Ntaflos
daff at pseudoterminal.org
Tue Nov 4 12:54:10 EST 2014
Hi,
I see that the "-history" option for "add_policy" (in kadmin) is not
supported when using the LDAP backend for Kerberos [1].
Is there *any* other way to ensure a user doesn't use one of his
previous four keys when changing passwords and the Kerberos database is
in LDAP? I ask because this is apparently a requirement in the PCI DSS
and Card Production standard (section 7.2.2 in the latter), which will
become relevant for us in a few months for a new site we are building.
We normally use the LDAP backend for Kerberos at our existing sites
which works great and allows us, among other things, to leverage
OpenLDAP's mirror-mode replication for high availability instead of
having to run kprop/kpropd via Cron.
I'd like to use LDAP as a Kerberos database at the new site but this
requirement and the missing history support seem like a show stopper.
Any ideas or advice?
Thanks,
Andreas
[1]
http://web.mit.edu/kerberos/krb5-devel/doc/admin/database.html#add-policy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20141104/5805e295/attachment.bin
More information about the Kerberos
mailing list