Re: How to synchronize Kerberos and SASL passwords?

From: Gary Mills (no email)
Date: Thu Nov 29 2007 - 21:52:40 EST

  • Next message: Gary Mills: "Re: How to synchronize Kerberos and SASL passwords?"

    On Thu, Nov 29, 2007 at 10:57:58AM +0100, Sebastian Hagedorn wrote:
    > --On 28. November 2007 19:40:22 -0600 Gary Mills <>
    > wrote:
    > >We have a central database that contains Unix, NTLM, and SASL
    > >passwords, permitting single-password signons for Unix and Windows
    > >desktops, and for Cyrus IMAP. I'd like to add Kerberos to this mix,
    > >but only for IMAP authentications initially. This would permit
    > >single-signon from Unix IMAP clients like mutt and pine, and
    > >especially from a webmail application using pubcookie for
    > >authentication. I'd like Kerberos to use the same passwords, rather
    > >than supporting another password database. Is anybody doing this? Is
    > >it even possible?
    > I don't think so, but I could be wrong.
    > >If not, would it be possible to keep them
    > >synchronized?
    > Well, I would assume that your "SASL passwords" are actually plain text,
    > right? If you have the the actual passwords you can of course keep two
    > databases in sync. We do something similar. There's a cron job that runs
    > once per hour and handles deltas.

    Yes, that's correct, although they're not stored that way in the account
    database. I'm pleased to hear that that works. I may decide to do the
    same thing.

    We use PAM exclusively. I notice that Solaris has a pam_krb5_migrate
    module that will populate the Kerberos database when users don't
    already have Kerberos passwords. That provides another way to do it.

    -Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

  • Next message: Gary Mills: "Re: How to synchronize Kerberos and SASL passwords?"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD