ldap backend and password history

Mark Pröhl mark at mproehl.net
Mon Oct 21 14:14:34 EDT 2013

Hash: SHA256

On 31.05.2013 18:30, Greg Hudson wrote:
> On 05/31/2013 09:42 AM, Robert Viduya wrote:
>> We're interested in using the ldap backend in our kerberos
>> servers, but we really can't do without password history.  I'm
>> curious why the feature was left out and if there are any plans
>> to implement it?
> The LDAP KDB module was contributed to us by Novell, who
> originally wrote it to work with their eDirectory product.  I
> believe in that context the KDB is managed by their own tools and
> not by kadmin, so things like password history support would be
> inoperable.  I'm not sure whether the kadmin support was
> retrofitted in by Novell or by MIT (it happened before I joined the
> team), but extending the schema to support password history was
> probably considered too difficult at the time.
> We don't have specific plans to add password history support to the
> LDAP module, but it would be nice to have.


I think this would be very nice to have;-).  My understanding is that
some new developments in MIT Kerberos (e.g. principal aliases) have
been implemented only in the ldap backend. So users of MIT Kerberos
that need those new features are driven to use the ldap backend. On
the other hand, password history is often a required feature in
company's password policies.

Are there really no plans to implement password history in kldap?
Would patches be accepted?

Does anybody know if there are any 3rd-party modules that can be used to
have a working password history in MIT Kerberos with ldap backend? (I
already checked krb5-strength)



Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the krbdev mailing list