Pascal Levy a écrit :
On Wednesday 08 October 2008 12:54:48 Guillaume Rousse wrote:
I'm back on this old question, because I'm now really working on it.
Andrew Bartlett a écrit :
Second, I was looking at better way to sync users accounts between our
new ldap-backed heimdal kdc and our windows AD. Currently, we have an
automated task synchronising user entries into Windows LDAP from our
Unix LDAP hourly, and a password-management CGI propagating password
changes to both systems (using an ugly VB CGI on windows side to
effectively change the password). I was wondering if the password
handling stuff could be merged with the ldap synchronisation task, now
we store kerberos keys in LDAP.
Windows does not allow the password attributes to be manipulated like
that. You could potentially read and set passwords with Samba4's
DRSUAPI synchronisation, but you can't do it with just Heimdal or just
LDAP.
I don't know if this could be usefull for you but what we are doing here is to
keep real users passwords only in heimdal KDC.
openldap authentication is made by using sasl mechanism with
[EMAIL PROTECTED] as userPassword chain
AD authentication is made by using a trust relationship with heimdal KDC and a
mapping beetwen AD accounts and heimdal KDC principals. ldap/heimdal/AD
accounts are keep in sync with a perl script running each 15 min.
AD userPassword is a (very) long random chain created by the perl script and
set in AD with ldap tools.
users can change there password by using normal windows change password
interface. Admins can use heimdal tools to manage passwords directly on the
kdc.
That's sound really interesting, but I don't understand some points:
- how do you have AD knows it can get a kerberos ticket from the heimdal
KDC ? Did you set the user userPrincipalName attribute to a principal
from heimdal managed realm ?
- is the AD userPassword attribute ever used in this case ?
- what's the exact usefulness of having OpenLDAP auth redirected to SASL
mechanism ? Just for managing a single password ? We have heimdal using
openldap as backend, and use smbkrb5 overlay to keep them synced
already, so it may be useless for us.
- how do you prevent ExOP PasswdChange to rewrite userPassword attribute
with a normal value, and keep '[EMAIL PROTECTED]' instead ?
- what exact cyphers did you use to ensure compatibility between heimdal
and your AD controller ? From Heimdal documentation, we used
des3-hmac-sha1 and des-cbc-crc, but it's quite old. From previous Andrew
answer, I understand we may use arcfour-hmac-md5 as well now.
Thanks for your input.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
