Re: Kerberos and LDAP

Petter Reinholdsen asks about Kerberos and LDAP.

While I'm not sure about an implementation that does just the ACLs in LDAP, there are several implementations that support having the kerberos principals stored in LDAP (i.e., heimdal has supported it for ages, and MIT Kerberos implements it since fairly recently, too). This allows not only for easy replication of the principals to a secondary KDC; it also allows for using LDAP ACLs to decide who gets to create and maintain users.

In addition, there's supposed to be an OpenLDAP overlay that allows for updating the Samba and/or heimdal hashes in an LDAP directory when the OpenLDAP 'change password' extended operation is used, thereby making it somewhat easier to keep passwords in sync.

I should note that I've never tried any of the above, though.