From: Quanah Gibson-Mount Date: Sun, 12 Dec 2010 02:45:30 +0000 (+0000) Subject: KERBEROS has not been a valid password scheme since 2004... X-Git-Tag: OPENLDAP_REL_ENG_2_4_24~256 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=ae6ef32cb7cfa73bc4cddc7ccebd54f233f32199;p=openldap KERBEROS has not been a valid password scheme since 2004... Actually, slapd has supported sasl_setpass for many years... --- diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf index 718a558240..4b045f5f40 100644 --- a/doc/guide/admin/security.sdf +++ b/doc/guide/admin/security.sdf @@ -274,19 +274,6 @@ verification to another process. See below for more information. Note: This is not the same as using SASL to authenticate the LDAP session. -H3: KERBEROS password storage scheme - -This is not really a password storage scheme at all. It uses the -value of the {{userPassword}} attribute to delegate password -verification to Kerberos. - -Note: This is not the same as using Kerberos authentication of -the LDAP session. - -This scheme could be said to defeat the advantages of Kerberos by -causing the Kerberos password to be exposed to the {{slapd}} server -(and possibly on the network as well). - H2: Pass-Through authentication Since OpenLDAP 2.0 {{slapd}} has had the ability to delegate password @@ -316,9 +303,6 @@ mechanism and are used to identify the account whose password is to be verified. This allows arbitrary mapping between entries in OpenLDAP and accounts known to the backend authentication service. -Note: There is no support for changing passwords in the backend -via {{slapd}}. - It would be wise to use access control to prevent users from changing their passwords through LDAP where they have pass-through authentication enabled.