How to synchronize Kerberos and SASL passwords?

Gary Mills mills at cc.umanitoba.ca
Thu Nov 29 21:52:40 EST 2007


On Thu, Nov 29, 2007 at 10:57:58AM +0100, Sebastian Hagedorn wrote:
> 
> --On 28. November 2007 19:40:22 -0600 Gary Mills <mills at cc.umanitoba.ca> 
> wrote:
> 
> >We have a central database that contains Unix, NTLM, and SASL
> >passwords, permitting single-password signons for Unix and Windows
> >desktops, and for Cyrus IMAP.  I'd like to add Kerberos to this mix,
> >but only for IMAP authentications initially.  This would permit
> >single-signon from Unix IMAP clients like mutt and pine, and
> >especially from a webmail application using pubcookie for
> >authentication.  I'd like Kerberos to use the same passwords, rather
> >than supporting another password database.  Is anybody doing this?  Is
> >it even possible?
> 
> I don't think so, but I could be wrong.
> 
> >If not, would it be possible to keep them
> >synchronized?
> 
> Well, I would assume that your "SASL passwords" are actually plain text, 
> right? If you have the the actual passwords you can of course keep two 
> databases in sync. We do something similar. There's a cron job that runs 
> once per hour and handles deltas.

Yes, that's correct, although they're not stored that way in the account
database.  I'm pleased to hear that that works.  I may decide to do the
same thing.

We use PAM exclusively.  I notice that Solaris has a pam_krb5_migrate
module that will populate the Kerberos database when users don't
already have Kerberos passwords.  That provides another way to do it.

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-


More information about the Cyrus-sasl mailing list