How to synchronize Kerberos and SASL passwords?
Dan White
dwhite at olp.net
Thu Nov 29 10:16:57 EST 2007
Dieter Kluenter wrote:
> Patrick Ben Koetter <p at state-of-mind.de> writes:
>
>> * Sebastian Hagedorn <Hagedorn at uni-koeln.de>:
>>> Hi Gary,
>>>
>>> --On 28. November 2007 19:40:22 -0600 Gary Mills <mills at cc.umanitoba.ca>
>>> wrote:
>>>
>>>> We have a central database that contains Unix, NTLM, and SASL
>>>> passwords, permitting single-password signons for Unix and Windows
>>>> desktops, and for Cyrus IMAP. I'd like to add Kerberos to this mix,
>>>> but only for IMAP authentications initially. This would permit
>>>> single-signon from Unix IMAP clients like mutt and pine, and
>>>> especially from a webmail application using pubcookie for
>>>> authentication. I'd like Kerberos to use the same passwords, rather
>>>> than supporting another password database. Is anybody doing this? Is
>>>> it even possible?
>>> I don't think so, but I could be wrong.
>> I've heard (!) that if the central database is LDAP one can use an OpenLDAP
>> overlay that syncronizes passwords in several services and IIRC Kerberos was
>> also mentioned. See <http://www.symas.com/introtooverlays.shtml> and look for
>> "smbk5pwd".
>
> This overlay is only synchronising smb and krb5 passwords if these are
> helt in the directory, for krb5 this can only be achieved with heimdal
> krb5.
Gary,
In addition to the smbk5pwd, you may also want to check out nss_ldap:
http://www.padl.com/OSS/nss_ldap.html
and if using PAM, pam_ldap:
http://www.padl.com/OSS/pam_ldap.html
and also the ldapdb SASL auxprop plugin.
nss_ldap will allow you to store additional /etc/passwd,
/etc/group and /etc/shadow entries into LDAP.
SASL an be configured to use ldapdb to retreive and store
passwords in LDAP.
Samba and Heimdal (as mentioned above) can be configured to store
their users and principals into the same LDAP store, and the
smbk5pwd overlay will update the samba and kerberos entries when
the userPassword is changed, via an LDAP password extended operation.
Passwords can be changed via the ldappasswd command, or pam_ldap
can be configured to perform the password extended operation each
time a 'passwd' is run to change passwords.
- Dan
More information about the Cyrus-sasl
mailing list