How to synchronize Kerberos and SASL passwords?

Dan White dwhite at olp.net
Thu Nov 29 10:16:57 EST 2007


Dieter Kluenter wrote:
> Patrick Ben Koetter <p at state-of-mind.de> writes:
> 
>> * Sebastian Hagedorn <Hagedorn at uni-koeln.de>:
>>> Hi Gary,
>>>
>>> --On 28. November 2007 19:40:22 -0600 Gary Mills <mills at cc.umanitoba.ca> 
>>> wrote:
>>>
>>>> We have a central database that contains Unix, NTLM, and SASL
>>>> passwords, permitting single-password signons for Unix and Windows
>>>> desktops, and for Cyrus IMAP.  I'd like to add Kerberos to this mix,
>>>> but only for IMAP authentications initially.  This would permit
>>>> single-signon from Unix IMAP clients like mutt and pine, and
>>>> especially from a webmail application using pubcookie for
>>>> authentication.  I'd like Kerberos to use the same passwords, rather
>>>> than supporting another password database.  Is anybody doing this?  Is
>>>> it even possible?
>>> I don't think so, but I could be wrong.
>> I've heard (!) that if the central database is LDAP one can use an OpenLDAP
>> overlay that syncronizes passwords in several services and IIRC Kerberos was
>> also mentioned. See <http://www.symas.com/introtooverlays.shtml> and look for
>> "smbk5pwd".
> 
> This overlay is only synchronising smb and krb5 passwords if these are
> helt in the directory, for krb5 this can only be achieved with heimdal
> krb5.

Gary,

In addition to the smbk5pwd, you may also want to check out nss_ldap:

http://www.padl.com/OSS/nss_ldap.html

and if using PAM, pam_ldap:

http://www.padl.com/OSS/pam_ldap.html

and also the ldapdb SASL auxprop plugin.

nss_ldap will allow you to store additional /etc/passwd, 
/etc/group and /etc/shadow entries into LDAP.

SASL an be configured to use ldapdb to retreive and store 
passwords in LDAP.

Samba and Heimdal (as mentioned above) can be configured to store 
their users and principals into the same LDAP store, and the 
smbk5pwd overlay will update the samba and kerberos entries when 
the userPassword is changed, via an LDAP password extended operation.

Passwords can be changed via the ldappasswd command, or pam_ldap 
can be configured to perform the password extended operation each 
time a 'passwd' is run to change passwords.

- Dan


More information about the Cyrus-sasl mailing list