1

My organization was using 389 Directory Server LDAP up until now to manage authentication. I was tasked with switching to Kerberos for that purpose but I still want to keep LDAP for non-auth relevant data.

My problem lies in seeding the existing users.

As I understand it, LDAP keeps the hashed password but Kerberos generates a key based on a plain text password when a user is created. Is there a way to use the hashed password instead? I know it's possible in LDAP.

A friend ran into a similar problem and his solution was to capture the user/plain-text password request on every auth attempt and use that information to seed his Kerberos database for a few months (to get all 'active' users) but that poses some security risks.

Another option would be to send a massive email to all users forcing them to reset their password but I'd rather avoid that.

Is there a better way?

IGP
  • 63
  • 6
  • LDAP might use plain text passwords. What password scheme is your LDAP using? How are you users logging in? If PAM is used, you might expire all their LDAP passwords so they need to change it at the first login. – Piotr P. Karwasz Dec 12 '19 at 22:29
  • Ideally, I want this to be seamless (users keep their password and don't even notice the change). – IGP Dec 13 '19 at 04:58
  • They will type the same password as new password and be happy they cheated you :-). The key derivation functions of LDAP and Kerberos, e.g. `{SSHA}` in LDAP and `aes` based encryption types in Kerberose are similar: one is basically PBKDF1 with SHA-1, the other PBKDF2 with SHA-1 HMAC. However the differences don't alllow to change one into the other. – Piotr P. Karwasz Dec 13 '19 at 05:33
  • Are you trying to get rid of the ldap database? Why not use kerberos with ldap as the backend storage? – Zoredache Dec 16 '19 at 21:06
  • Requirements are specific. Migrate auth to kerberos. Leave everything else in ldap – IGP Dec 16 '19 at 22:27
  • You can slightly modify [pam-krb5](https://github.com/rra/pam-krb5) so that `pam_sm_authenticate` actually calls `pam_sm_chauthtok` and returns `PAM_IGNORE`. This way pam_krb5 will be changing the passwords instead of authenticating. – Piotr P. Karwasz Dec 17 '19 at 23:47
  • @Piotr P. Karwasz Your last suggestion works for me. Can you make it an answer so I can award the bounty? – IGP Dec 21 '19 at 02:01
  • Thanks, could you leave a github fork and post it as an answer, so it remains for posterity? – Piotr P. Karwasz Dec 21 '19 at 04:33
  • I'm afraid I can't. Company policy. – IGP Dec 21 '19 at 20:58

1 Answers1

1

This should point you in the right direction:

You can slightly modify pam-krb5, so that pam_sm_authenticate actually calls pam_sm_chauthtok and returns PAM_IGNORE. This way pam_krb5 will be changing the passwords instead of authenticating.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20