Why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H

Greg Hudson ghudson at mit.edu
Tue Sep 10 01:34:54 EDT 2019

On 9/6/19 11:43 AM, Дилян Палаузов wrote:
> Alright.  While “kdb5_ldap_util create -r Y.EXAMPLE” does take the ldap address from the ldap_servers setting for the
> realm/domain, so no -H parameter is necessary, how is “kdb5_ldap_util list” supposed to obtain the address of the
> ldap_server to connect to?  Does it use, if -H is missing, the ldap_server of the default domain?


> Is there any way that MIT Kerberos withLDAP can use the
> user passwords stored in inetorgperson:userPassword attribute, instead from the krbPrincipalKey: attribute?  The use
> case is to reuse an existing infrastructure, where passwords are already hashed in userPassword.

No, a Kerberos database cannot use hashed LDAP passwords.  Kerberos uses
an enctype-specific string-to-key conversion on passwords, and that
conversion doesn't resemble the password hashing used in LDAP.

> admin/conf_ldap.html proposes these access rigths:

These and some of the other rights can be removed from the
documentation, as far as I can tell.  They may date back to the Novell
eDirectory origins of the LDAP KDB module.

I filed https://github.com/krb5/krb5/pull/974 to update the
documentation, and will merge it after review.  Thanks for the detailed
feedback.  (Also, per the ticket you filed a week ago, I will look into
adding epub versions of the documentation.)

More information about the krbdev mailing list