[30814] in Kerberos
Re: Creating a Kerberos user principal using LDAP
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Fri Mar 6 14:03:41 2009
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Date: Fri, 06 Mar 2009 13:44:30 +0100
Message-ID: <eei786-kh8.ln1@nb2.stroeder.com>
Mime-Version: 1.0
X-Complaints-To: usenet-abuse@t-online.de
In-Reply-To: <mailman.58.1236297842.14058.kerberos@mit.edu>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Dax Kelson wrote:
> If either tools has not been created, there is code from the FreeIPA
> project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that
> fetches the master key and properly create the ASN.1 encoded key. That
> code could be used as a starting point or inspiration.
Security wise catching the modify password extended operation at the
LDAP server's side is IMHO the right thing to do. FreeIPA does that for
Fedora Directory Server as backend for a MIT KDC. The overlay smbk5pwd
does it for OpenLDAP as backend for heimdal KDC.
Ciao, Michael.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
