When configuring MIT Kerberos to use an LDAP database instead of DB2, I was surprised to see that user password hashes are stored in two different fields: userPassword and krbPrincipalKey. Seems the hashing algorithms may be different, but that seems unnecessary too. Why not just consolidate to avoid synchronization issues?
Asked
Active
Viewed 801 times
1 Answers
0
OpenLDAP cannot directly handle krbPrincipalKey data for authentication. I am not entirely familiar with how FreeIPA handles handles passwords, but for other OpenLDAP/Kerberos installations, OpenLDAP is often instructed to use SASL passthrough authentication.
84104
- 12,905
- 6
- 45
- 76
-
Yes, but why? It seems it would be easier to update either Kerberos or the LDAP server to be able handle a different password field format then go through all the trouble to handle keeping two separate fields in sync or setting up an external SASL daemon for SASL passthrough. – Ryan Apr 10 '18 at 13:45