How to synchronize Kerberos and SASL passwords?

Gary Mills mills at cc.umanitoba.ca
Thu Nov 29 22:04:08 EST 2007 

On Thu, Nov 29, 2007 at 09:16:57AM -0600, Dan White wrote:
> Dieter Kluenter wrote:
> >Patrick Ben Koetter <p at state-of-mind.de> writes:
> >
> >>* Sebastian Hagedorn <Hagedorn at uni-koeln.de>:
> >>>
> >>>--On 28. November 2007 19:40:22 -0600 Gary Mills <mills at cc.umanitoba.ca> 
> >>>wrote:
> >>>
> >>>>We have a central database that contains Unix, NTLM, and SASL
> >>>>passwords, permitting single-password signons for Unix and Windows
> >>>>desktops, and for Cyrus IMAP.  I'd like to add Kerberos to this mix,
> >>>>but only for IMAP authentications initially.  This would permit
> >>>>single-signon from Unix IMAP clients like mutt and pine, and
> >>>>especially from a webmail application using pubcookie for
> >>>>authentication.  I'd like Kerberos to use the same passwords, rather
> >>>>than supporting another password database.  Is anybody doing this?  Is
> >>>>it even possible?
> >>>I don't think so, but I could be wrong.
> >>I've heard (!) that if the central database is LDAP one can use an 
> >>OpenLDAP
> >>overlay that syncronizes passwords in several services and IIRC Kerberos 
> >>was
> >>also mentioned. See <http://www.symas.com/introtooverlays.shtml> and look 
> >>for
> >>"smbk5pwd".
> >
> >This overlay is only synchronising smb and krb5 passwords if these are
> >helt in the directory, for krb5 this can only be achieved with heimdal
> >krb5.

Thanks.  That's a possibility, although I'd like to try the native
Solaris Kerberos first.

> In addition to the smbk5pwd, you may also want to check out nss_ldap:
> 
> http://www.padl.com/OSS/nss_ldap.html
> 
> and if using PAM, pam_ldap:
> 
> http://www.padl.com/OSS/pam_ldap.html

Yes, we have all of those with Solaris, although not the PADL versions.

> Samba and Heimdal (as mentioned above) can be configured to store 
> their users and principals into the same LDAP store, and the 
> smbk5pwd overlay will update the samba and kerberos entries when 
> the userPassword is changed, via an LDAP password extended operation.

Our account database is in Mysql, but it's easy enough to put LDAP
in front of it.  I'm pleased to hear that I have some options.

> Passwords can be changed via the ldappasswd command, or pam_ldap 
> can be configured to perform the password extended operation each 
> time a 'passwd' is run to change passwords.

I believe we have that part covered already.

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

More information about the Cyrus-sasl mailing list