[36599] in Kerberos
Key history with LDAP backend?
daemon@ATHENA.MIT.EDU (Andreas Ntaflos)
Tue Nov 4 12:54:30 2014
Message-ID: <545912C2.9090600@pseudoterminal.org>
Date: Tue, 04 Nov 2014 18:54:10 +0100
From: Andreas Ntaflos <daff@pseudoterminal.org>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1643584297=="
Errors-To: kerberos-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1643584297==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="9MEXvOFBjP7KEjOc57KH7tk3mDdLFIaE4"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--9MEXvOFBjP7KEjOc57KH7tk3mDdLFIaE4
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi,
I see that the "-history" option for "add_policy" (in kadmin) is not
supported when using the LDAP backend for Kerberos [1].
Is there *any* other way to ensure a user doesn't use one of his
previous four keys when changing passwords and the Kerberos database is
in LDAP? I ask because this is apparently a requirement in the PCI DSS
and Card Production standard (section 7.2.2 in the latter), which will
become relevant for us in a few months for a new site we are building.
We normally use the LDAP backend for Kerberos at our existing sites
which works great and allows us, among other things, to leverage
OpenLDAP's mirror-mode replication for high availability instead of
having to run kprop/kpropd via Cron.
I'd like to use LDAP as a Kerberos database at the new site but this
requirement and the missing history support seem like a show stopper.
Any ideas or advice?
Thanks,
Andreas
[1]
http://web.mit.edu/kerberos/krb5-devel/doc/admin/database.html#add-policy=
--9MEXvOFBjP7KEjOc57KH7tk3mDdLFIaE4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlRZEsYACgkQOXziqAkMqbS9mgCeKb5mfFIbeopizHVPNeKoaBLy
1oMAoJM1UFTG/wXMpr39cXAkn/rTfQSW
=WUnl
-----END PGP SIGNATURE-----
--9MEXvOFBjP7KEjOc57KH7tk3mDdLFIaE4--
--===============1643584297==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1643584297==--