Why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H
ghudson at mit.edu
Tue Sep 10 01:34:54 EDT 2019
On 9/6/19 11:43 AM, Дилян Палаузов wrote:
> Alright. While “kdb5_ldap_util create -r Y.EXAMPLE” does take the ldap address from the ldap_servers setting for the
> realm/domain, so no -H parameter is necessary, how is “kdb5_ldap_util list” supposed to obtain the address of the
> ldap_server to connect to? Does it use, if -H is missing, the ldap_server of the default domain?
> Is there any way that MIT Kerberos withLDAP can use the
> user passwords stored in inetorgperson:userPassword attribute, instead from the krbPrincipalKey: attribute? The use
> case is to reuse an existing infrastructure, where passwords are already hashed in userPassword.
No, a Kerberos database cannot use hashed LDAP passwords. Kerberos uses
an enctype-specific string-to-key conversion on passwords, and that
conversion doesn't resemble the password hashing used in LDAP.
> admin/conf_ldap.html proposes these access rigths:
These and some of the other rights can be removed from the
documentation, as far as I can tell. They may date back to the Novell
eDirectory origins of the LDAP KDB module.
I filed https://github.com/krb5/krb5/pull/974 to update the
documentation, and will merge it after review. Thanks for the detailed
feedback. (Also, per the ticket you filed a week ago, I will look into
adding epub versions of the documentation.)
More information about the krbdev