[Freeipa-users] Re: kadmin help when using LDAP db (MIT kerberos)
Simo Sorce
ssorce at redhat.com
Mon Nov 17 13:51:42 UTC 2008
On Mon, 2008-11-17 at 08:57 -0430, Robert Marcano wrote:
> On Sun, 2008-11-16 at 16:58 -0500, Simo Sorce wrote:
> > On Sun, 2008-11-16 at 14:41 -0430, Robert Marcano wrote:
> > > I added a little patch to freeipa in order to update sambaPwdLastSet on
> > > the DS plugin code (ipa_pwd_extop.c), see attachment
> >
> > Interesting, although we should probbaly better patch samba to use
> > freeipa's own fields, keeping mulitple copies of the same data is always
> > a mess as they easily get out of sync.
>
> The same can be said about the password hashes that can go out of sync
> for some unexpected reason (and those can not be merged with any
> existing field).
That's why I said you should use ldap passwd sync = only
Using this option ipa will generate the hashes itself as part of one
unique password change operation. This makes is mush less likely that
passwords will go out of sync. The only way would be for someone to
manually mess with the ldap entry.
> I think the only way to have this patched on Samba is
> to build a new passdb backend (reusing code from the ldap backend), that
> way no schema change will occur for any current Samba/LDAP user, and the
> samba configuration for IPA can be made easier, no "ldap * suffix" to be
> defined, minimum one setting will be needed, the IPA domain
Yes an entire new backend could make things easier, but another way is
to take the edirectory variant (already in the sources) and see if that
can be modified, should be less work.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list