[OpenAFS] LDAP and Krb5 and OpenAFS - problem?
Christian Pfaffel-Janser
flash@itp.tu-graz.ac.at
23 Jun 2005 13:30:58 +0200
Chris Huebsch <chris.huebsch@informatik.tu-chemnitz.de> writes:
> Hi,
>
> On Thu, 23 Jun 2005, Lars Schimmer wrote:
>
>
> > Are there any errors to expect? E.G. passwords - while user can change there
> > passwords on Krb5 the passwords are not changed in ldap - user with 2 passwd
> > could login. I think I have to disable passwords via ldap.
>
> Don't use LDAP for password-checks. Leave the password-field empty.
>
You might want to set the password-field to "{SASL}user@krbrealm". We
use that setup so that users can authenticate against kerberos via
LDAP & SASL to a web application server.
It would be a non trivial task to kerberize the application. It was
much easier to use secure the server and use the way over LDAP.
For workstations though we disabled all but kerberos for
authentification.
Regards,
Christian
--
Dipl.-Ing. Christian Pfaffel-Janser <flash@itp.tugraz.at>
Technische Universität Graz Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz http://itp.tugraz.at/~flash/pubkey.gpg