When you change password via kpasswd, does it change your password that is stored on the Kerberos server, or does it change your password that is stored in the OpenLDAP server?
Add a comment
|
1 Answer
How does kpasswd change password?
It talks to your KDC (Kerberos server) using the "Kpasswd" protocol on port 464. (For MIT Kerberos this is handled by kadmind, not by krb5kdc, but is still a standard Kerberos protocol.)
does it change your password that is stored on the Kerberos server, or does it change your password that is stored in the OpenLDAP server?
When speaking about OpenLDAP specifically: kpasswd has nothing to do with LDAP, and Kerberos as a whole has nothing to do with LDAP.
While MIT and Heimdal KDCs support using LDAP as a database backend, in such situations the LDAP server acts as nothing more than a database backend; the KDC does not use it for password validation. Only the opposite might be set up; the LDAP server might validate bind passwords against a KDC.
(Of course, this may be different for tightly-integrated services such as Active Directory, where the KDC and the LDAP service are always found together; in that case kpasswd would simultaneously change the AD Kerberos and LDAP passwords.)
