Michael B Allen <[EMAIL PROTECTED]> writes: > Russ Allbery <[EMAIL PROTECTED]> wrote:
>> mod_auth_kerb can (via BasicAuth), but you need to have the passwords >> in some Kerberos database. It doesn't help if they're only in LDAP. > I'm a little confused by this statement. If mod_auth_kerb uses > krb5_get_init_creds_password it shouldn't care where passwords are. It only does Kerberos authentication. If the passwords are stored as encrypted hashes in an LDAP directory server (which is what people normally mean when they talk about "LDAP authentication"), it doesn't help. > Also, AD is a "Kerberos database" and does not store passwords in the > DIT (actually it doesn't store passwords at all AFAIK, only keys). Yes, the original question was how to handle authentication of the users at that site who *aren't* in AD. The original poster wasn't completely clear on where the passwords *are* stored, but based on the question, I presume they're encrypted hashes in LDAP. You're correct and I was sloppy in my wording -- normally, Kerberos KDCs only store keys, not passwords. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
