[OpenAFS] LDAP and Krb5 and OpenAFS - problem?

Christian Pfaffel-Janser flash@itp.tu-graz.ac.at
23 Jun 2005 13:30:58 +0200


Chris Huebsch <chris.huebsch@informatik.tu-chemnitz.de> writes:

> Hi,
> 
> On Thu, 23 Jun 2005, Lars Schimmer wrote:
> 
> 
> > Are there any errors to expect? E.G. passwords - while user can change there
> > passwords on Krb5 the passwords are not changed in ldap  - user with 2 passwd
> > could login. I think I have to disable passwords via ldap.
> 
> Don't use LDAP for password-checks. Leave the password-field empty.
> 

You might want to set the password-field to "{SASL}user@krbrealm".  We
use that setup so that users can authenticate against kerberos via
LDAP & SASL to a web application server.

It would be a non trivial task to kerberize the application. It was
much easier to use secure the server and use the way over LDAP.

For workstations though we disabled all but kerberos for
authentification.

Regards,
Christian

-- 
Dipl.-Ing. Christian Pfaffel-Janser <flash@itp.tugraz.at>
Technische Universität Graz                 Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik            Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz           http://itp.tugraz.at/~flash/pubkey.gpg