[TriLUG] LDAP user password resets

bak bak at picklefactory.org
Thu Jan 18 09:50:54 EST 2007


$0.02:

Using LDAP for authentication would be nice if it worked, but it Just 
Don't.  I've bumped into so many different apps -- commercial and free 
-- that want to talk to LDAP over an unsecured connection, or don't 
understand the password hashing that you've decided to use, or worse yet 
want to read the password field in the clear instead of just expecting 
OpenLDAP to give a yea or nay.  It's ugly.  That said, if you know your 
set of applications with LDAP as a backend is limited, you're in the clear.

After a few years of attempting to use LDAP for everything, I gave up 
and let kerberos handle the authentication part.  The worst you can say 
about it is that if an application isn't kerberized enough to accept a 
ticket, it can at least take in a username and password pair and go to 
the KDC itself.

But for apps that are kerberized, it's great -- and for web stuff, you 
can get GSSAPI/SPNEGO going -- it'll look as integrated as 
ActiveDirectory. :)

--bak

Magnus wrote:
> Nick wrote:
>> Any nudges in the right direction would be appreciated.
> 
> Would that include nudging away from LDAP for authentication?  It's a 
> great tool for user metadata and other directory services but for 
> authentication... KerberosV.  Linux does support authentication by 
> KerberosV mixed with directory services from LDAP.  Works great.
> 
> 



More information about the TriLUG mailing list