[29984] in Kerberos
Re: krbUPEnabled LDAP attribute
daemon@ATHENA.MIT.EDU (Savitha R)
Wed Jun 18 00:29:56 2008
Message-Id: <4858DC7A.C217.0053.0@novell.com>
Date: Tue, 17 Jun 2008 22:34:53 -0600
From: "Savitha R" <rsavitha@novell.com>
To: "Klaus Heinrich Kiwi" <klausk@linux.vnet.ibm.com>, <kerberos@mit.edu>
In-Reply-To: <1213672030.17827.44.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>>> On Tue, Jun 17, 2008 at 8:37 AM, in message
<1213672030.17827.44.camel@klausk.br.ibm.com>, Klaus Heinrich Kiwi
<klausk@linux.vnet.ibm.com> wrote:
> Is this attribute actually supported in the current KDB LDAP plugin
> implementation? ie.: The only code I can see that it's dealing with this
> attribute in the current tree refers to setting the permissions to this
> attribute in the LDAP Database (ldap_service_rights.c).
>
No, this attribute is not supported in the current LDAP plugin implementation.
> And what actually means that "directory User Password has to be
> used" (krbUPEnabled=TRUE)? The required password to authenticate a user
> principal would be the same password used to bind with this user DN in
> the directory? Is that possible with the current KDB Abstraction Layer?
yes, this is to enable the user to use the same password for directory authentication
and kerberos authentication. There could be various ways of achieving this.
We have implemented an external mechanism which synchronizes the directory
and kerberos passwords
-Savitha
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
