The basic setup is an OpenLDAP server. The users are provisioned and the passwords are set.
Now we decided to add an MIT KDC for being able to use Kerberos. We configured the MIT KDC to utilize the LDAP as a backend for the KDC database.
We create principals and link them with the following command to existing LDAP users:
addprinc -x dn=cn=test.user,ou=people,dc=example,dc=com test.user
The problem is that this prompts for a new password, leading two different passwords when obtaining Kerberos tickets and performing LDAP binds.
Is there a way to sync these passwords? I.e., when users change their passwords with kpasswd I want the LDAP password to change as well. And when users change their password with ldappasswd, vice versa.
Anyone has a guide for this? I can't seem to find anything on the internet.
Best Answer
You should not sync the passwords. You should be using SASL passthrough authentication. Your
userPasswordshould be of the form{SASL}username@REALM.