How to synchronize Kerberos and SASL passwords?
Patrick Ben Koetter
p at state-of-mind.de
Thu Nov 29 05:47:25 EST 2007
* Sebastian Hagedorn <Hagedorn at uni-koeln.de>:
> Hi Gary,
>
> --On 28. November 2007 19:40:22 -0600 Gary Mills <mills at cc.umanitoba.ca>
> wrote:
>
> >We have a central database that contains Unix, NTLM, and SASL
> >passwords, permitting single-password signons for Unix and Windows
> >desktops, and for Cyrus IMAP. I'd like to add Kerberos to this mix,
> >but only for IMAP authentications initially. This would permit
> >single-signon from Unix IMAP clients like mutt and pine, and
> >especially from a webmail application using pubcookie for
> >authentication. I'd like Kerberos to use the same passwords, rather
> >than supporting another password database. Is anybody doing this? Is
> >it even possible?
>
> I don't think so, but I could be wrong.
I've heard (!) that if the central database is LDAP one can use an OpenLDAP
overlay that syncronizes passwords in several services and IIRC Kerberos was
also mentioned. See <http://www.symas.com/introtooverlays.shtml> and look for
"smbk5pwd".
HTH,
p at rick
>
> >If not, would it be possible to keep them
> >synchronized?
>
> Well, I would assume that your "SASL passwords" are actually plain text,
> right? If you have the the actual passwords you can of course keep two
> databases in sync. We do something similar. There's a cron job that runs
> once per hour and handles deltas.
> --
> .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
> Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
> .:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
> .:.:.:.Skype: shagedorn.:.:.:.
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
More information about the Cyrus-sasl
mailing list