How to synchronize Kerberos and SASL passwords?
Gary Mills
mills at cc.umanitoba.ca
Thu Nov 29 21:52:40 EST 2007
On Thu, Nov 29, 2007 at 10:57:58AM +0100, Sebastian Hagedorn wrote:
>
> --On 28. November 2007 19:40:22 -0600 Gary Mills <mills at cc.umanitoba.ca>
> wrote:
>
> >We have a central database that contains Unix, NTLM, and SASL
> >passwords, permitting single-password signons for Unix and Windows
> >desktops, and for Cyrus IMAP. I'd like to add Kerberos to this mix,
> >but only for IMAP authentications initially. This would permit
> >single-signon from Unix IMAP clients like mutt and pine, and
> >especially from a webmail application using pubcookie for
> >authentication. I'd like Kerberos to use the same passwords, rather
> >than supporting another password database. Is anybody doing this? Is
> >it even possible?
>
> I don't think so, but I could be wrong.
>
> >If not, would it be possible to keep them
> >synchronized?
>
> Well, I would assume that your "SASL passwords" are actually plain text,
> right? If you have the the actual passwords you can of course keep two
> databases in sync. We do something similar. There's a cron job that runs
> once per hour and handles deltas.
Yes, that's correct, although they're not stored that way in the account
database. I'm pleased to hear that that works. I may decide to do the
same thing.
We use PAM exclusively. I notice that Solaris has a pam_krb5_migrate
module that will populate the Kerberos database when users don't
already have Kerberos passwords. That provides another way to do it.
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
More information about the Cyrus-sasl
mailing list