On Tue, 2009-03-31 at 12:12 +0200, Michael Ströder wrote: > Adriana Gologaneanu wrote: > > Debian Etch > > - slapd: 2.3.30-5+etch2 > > - krb5-kdc: 1.4.4-7etch6 > > > > I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data > > to be stored in an LDAP server. > > Let me test it and I will give you a feedback. > > It won't help since the credentials are stored in different attributes. > > You need something which syncs the credential attributes. This is e.g. > possible with OpenLDAP/Heimdal and a server-side overlay (server-side > plugin) called smbk5pwd which intercepts the LDAP Password Modify > Extended Operation requests and then sets all relevant attributes. The > FreeIPA folks have implemented something similar for MIT KDC with Fedora > Directory Server. I don't know a solution for OpenLDAP / MIT KDC though. > > Also note that the LDAP schema for MIT KDC and heimdal KDC differ.
The FreeIPA plugin has been written using the SLAPI interface. I think OpenLDAP still support that interface too, so maybe it is not too difficult to port the plugin to OpenLDAP. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
