We have a cluster that uses an internal LDAP domain for user authentication that previously used passwords stored in LDAP. We have now moved the login machine to use krb5 for password authentication against an external kdc. We would like to remove the local LDAP passwords if we can. Is there an equivalent in ldap to the traditional unix auth command usermod -p '!' user?
Asked
Active
Viewed 19 times
0
jamie
- 1
- 1
-
What LDAP server are you using? Not all of them work the same way. – user1686 Sep 01 '23 at 08:41
1 Answers
0
For OpenLDAP – remove the userPassword attribute from each user account.
There are no standard commands, you'll need ldapsearch | some awk/sed/grep | ldapmodify, or script the batch update using Perl/Python
Alternatively: You can have the LDAP server validate plain passwords against Kerberos by setting each user's userPassword attribute to {SASL}user@REALM and running the saslauthd -a krb5 daemon to perform password validation. (Of course, this is not as good as actual Kerberos authentication.)
user1686
- 10,162
- 1
- 26
- 42