[TriLUG] LDAP user password resets

David McDowell turnpike420 at gmail.com
Thu Jan 18 10:08:13 EST 2007


heh, so if I don't get shot for this one... you can just get AD (which
is their own smash of LDAP and krb5) and setup your linux applications
to auth against it... teee heee (that's what we do here b/c we have to
have AD for other things.  *runs and hides*  It works fine for us.

David


On 1/18/07, bak <bak at picklefactory.org> wrote:
> $0.02:
>
> Using LDAP for authentication would be nice if it worked, but it Just
> Don't.  I've bumped into so many different apps -- commercial and free
> -- that want to talk to LDAP over an unsecured connection, or don't
> understand the password hashing that you've decided to use, or worse yet
> want to read the password field in the clear instead of just expecting
> OpenLDAP to give a yea or nay.  It's ugly.  That said, if you know your
> set of applications with LDAP as a backend is limited, you're in the clear.
>
> After a few years of attempting to use LDAP for everything, I gave up
> and let kerberos handle the authentication part.  The worst you can say
> about it is that if an application isn't kerberized enough to accept a
> ticket, it can at least take in a username and password pair and go to
> the KDC itself.
>
> But for apps that are kerberized, it's great -- and for web stuff, you
> can get GSSAPI/SPNEGO going -- it'll look as integrated as
> ActiveDirectory. :)
>
> --bak
>
> Magnus wrote:
> > Nick wrote:
> >> Any nudges in the right direction would be appreciated.
> >
> > Would that include nudging away from LDAP for authentication?  It's a
> > great tool for user metadata and other directory services but for
> > authentication... KerberosV.  Linux does support authentication by
> > KerberosV mixed with directory services from LDAP.  Works great.
> >
> >
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>



More information about the TriLUG mailing list