On Sat, Feb 07, 2015 at 18:44:48 +0100, Jan Rękorajski wrote: >> Oh, and I've just found this thread: >> http://www.openldap.org/lists/openldap-technical/201402/msg00197.html >> pointing to https://github.com/opinsys/smbkrb5pwd > > Wow, 10 years after Heimdal?
Kerberos was designed for authentication, not directory services, so you shouldn't 'wow' this feature - blame samba for being such a lame AD replacement. I see no point in keeping credentials in LDAP, this is IMHO against both LDAP (permit reading everything by default, needs some fancy ACLs to restrict public information) and KDC (credentials should not leave ticket granting system in ANY way). Or blame AD for being such a misdesign, dunno - KDC and LDAP should not ever talk to each other (with one obvious exception - authenticating user for LDAP access itself). Or ...why don't you blame OpenLDAP for missing MIT-updater? It's weird, that every LDAP-related solution is flawned - you can't have HTTP digest auth with LDAP, because LDAP userPassword would need to be plaintext? Wrong, apache could store the same data as htdigest stores and fetch them using his own user (with ACLs protecting this attribute the same way as userPassword is, and some overlay to update when main user password changes). After all, there is squild-ldap auth helper (https proxy is relatively new solution, doing basic http auth without SSL is not an option). Authenticating user upon successful LDAP bind is ridiculous (ok, there is authorization using search, still lame). Seems to me that entire LDAP business is a kludge... Nevermind, there is smbkrb5pwd '10 years after Heimdal' so we might get back to MIT '3 years after last Heimdal release', don't we? > And it still looks like it needs some hackery. Elaborate please - I've seen many documents on integrating heimdal with LDAP and it was all one big hackery, what's the difference with above? > But that's not the point, you missed the most important issue (system > MIT makes samba4 useless): Elaborate please - I see all the parts in the same places in both systems. What exactly is missing? >> > and that's crucial now Samba is a real AD server. Just read README.dc >> > from Fedora's samba package, it's so pathetic it still makes me >> > laugh my ass off. >> > >> > That were the reasons we switched to Heimdal. Wasn't that the reason THEY have created FreeIPA for AD? >> How can I set default and user password policy using Heimdal without >> LDAP (I won't put passwords into public directory designed for >> authorization not authentication)? I need plain authentication service, >> no LDAP and no SASL involved. > > Never used standalone KDC, always had LDAP backend. Try this: > http://kerberos.996246.n3.nabble.com/Password-Quality-Checking-td10147.html That's not a solution - is is only password strength check, not a policy; at least password reuse and account lockout is required. > I assume you read this: > http://www.h5l.org/manual/HEAD/info/heimdal/Password-changing.html Yes, ...that's why I've started digging on MIT. Or going towards LDAP (for ppolicy), but it seems it's too hackish as well. -- Tomasz Pala <go...@pld-linux.org> _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en