ldap backend and password history

Greg Hudson ghudson at MIT.EDU
Fri May 31 12:30:10 EDT 2013

On 05/31/2013 09:42 AM, Robert Viduya wrote:
> We're interested in using the ldap backend in our kerberos servers, but we really can't do without password history.  I'm curious why the feature was left out and if there are any plans to implement it?

The LDAP KDB module was contributed to us by Novell, who originally
wrote it to work with their eDirectory product.  I believe in that
context the KDB is managed by their own tools and not by kadmin, so
things like password history support would be inoperable.  I'm not sure
whether the kadmin support was retrofitted in by Novell or by MIT (it
happened before I joined the team), but extending the schema to support
password history was probably considered too difficult at the time.

We don't have specific plans to add password history support to the LDAP
module, but it would be nice to have.

More information about the krbdev mailing list