* Michael Tiernan <[email protected]> [20100811 10:52]: > > I've got a working Kerberos & LDAP configuration and I have users who've left > the systems. Ignoring the good/bad aspects of the policy of deleting vs > locking out users for a moment, I am wondering about the internal behavior of > Kerberos. > > If Kerberos provides the authentication information for users (but is only > coupled to LDAP via the user's name) then I *believe* that I can delete a > user's principle to prohibit use of the account and then, when the > appropriate authority tells me the user is allowed back in, I can just create > a new principle for this user and all will be right with the world. The > assumption is of course that the lock/unlock period is beyond the life-time > of any tickets. >
If you're dealing with an MIT KDC then you can simply "expire" the kerberos principal (not the password), which keeps it from being used. Then if the user needs to be re-enabled at a later point the principal can be "unexpired" (the old password will work again). Ben -- ________________________________________________________________________ PGP (318B6A97): 3F23 EBC8 B73E 92B7 0A67 705A 8219 DCF0 318B 6A97
signature.asc
Description: Digital signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
