Kerberos with OpenLDAP backend: Password Sync HowTo

The basic setup is an OpenLDAP server. The users are provisioned and the passwords are set. Now we decided to add an MIT KDC for being able to use Kerberos. We configured the MIT KDC to utilize the LDAP as a backend for the KDC database. We create principals and link them with the following command to existing LDAP users:

addprinc -x dn=cn=test.user,ou=people,dc=example,dc=com test.user

The problem is that this prompts for a new password, leading two different passwords when obtaining Kerberos tickets and performing LDAP binds.

Is there a way to sync these passwords? I.e., when users change their passwords with kpasswd I want the LDAP password to change as well. And when users change their password with ldappasswd, vice versa.

Anyone has a guide for this? I can't seem to find anything on the internet.

Solution 1:

You should not sync the passwords. You should be using SASL passthrough authentication. Your userPassword should be of the form {SASL}username@REALM.

Solution 2:

if it's an option for you to not build everything from scratch, I can recommend Univention Corporate Server (UCS). It's a free, Debian based, enterprise level operating system that works well as domain / identity management for heterogenous environments, including authentication via OpenLDAP and Kerberos (default Heimdal, optional Samba AD). The needed sync and overlay modules are built-in. You can install UCS very quickly via Univention's website. The Unixmen website also recently posted a good brief installation tutorial about UCS.