ldap backend and password history

Jeff D'Angelo jcd at psu.edu
Tue Oct 21 18:58:03 EDT 2014

On Mon Oct 21 14:14:34 EDT 2013, Mark Pröhl <mark at mproehl.net> wrote:
> Hash: SHA256
> On 31.05.2013 18:30, Greg Hudson wrote:
> > On 05/31/2013 09:42 AM, Robert Viduya wrote:
> >> We're interested in using the ldap backend in our kerberos
> >> servers, but we really can't do without password history.  I'm
> >> curious why the feature was left out and if there are any plans
> >> to implement it?
> >
> > The LDAP KDB module was contributed to us by Novell, who
> > originally wrote it to work with their eDirectory product.  I
> > believe in that context the KDB is managed by their own tools and
> > not by kadmin, so things like password history support would be
> > inoperable.  I'm not sure whether the kadmin support was
> > retrofitted in by Novell or by MIT (it happened before I joined the
> > team), but extending the schema to support password history was
> > probably considered too difficult at the time.
> >
> > We don't have specific plans to add password history support to the
> > LDAP module, but it would be nice to have.
> >
> Hi,
> I think this would be very nice to have;-).  My understanding is that
> some new developments in MIT Kerberos (e.g. principal aliases) have
> been implemented only in the ldap backend. So users of MIT Kerberos
> that need those new features are driven to use the ldap backend. On
> the other hand, password history is often a required feature in
> company's password policies.
> Are there really no plans to implement password history in kldap?
> Would patches be accepted?
> Does anybody know if there are any 3rd-party modules that can be used to
> have a working password history in MIT Kerberos with ldap backend? (I
> already checked krb5-strength)
> Regards,
> Mark
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> iF4EAREIAAYFAlJlbwoACgkQcnTijk4OXrLYKAD/X3fsA9e3LN9kBT9dsyCPuL0H
> xbVUlhhQyoD+XSou9EgBAIanKn3gArhXnSg4JYXzzKrh3/3XCsaayQtqBli4Qc/a
> =MuzL

+1 on would like to see this.

Anyone make any progress towards this?

I'm going to guess the easier route would be to map the key history 
parts of the adb structure into the appropriate LDAP attributes just as 
the policy string maps to the DN reference of the policy object in LDAP.


More information about the krbdev mailing list