From ae6ef32cb7cfa73bc4cddc7ccebd54f233f32199 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Sun, 12 Dec 2010 02:45:30 +0000
Subject: [PATCH] KERBEROS has not been a valid password scheme since 2004...
 Actually, slapd has supported sasl_setpass for many years...

---
 doc/guide/admin/security.sdf | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf
index 718a558240..4b045f5f40 100644
--- a/doc/guide/admin/security.sdf
+++ b/doc/guide/admin/security.sdf
@@ -274,19 +274,6 @@ verification to another process. See below for more information.
 Note: This is not the same as using SASL to authenticate the LDAP
 session.
 
-H3: KERBEROS password storage scheme
-
-This is not really a password storage scheme at all. It uses the
-value of the {{userPassword}} attribute to delegate password
-verification to Kerberos. 
-
-Note: This is not the same as using Kerberos authentication of 
-the LDAP session.
-
-This scheme could be said to defeat the advantages of Kerberos by 
-causing the Kerberos password to be exposed to the {{slapd}} server 
-(and possibly on the network as well).
-
 H2: Pass-Through authentication
 
 Since OpenLDAP 2.0 {{slapd}} has had the ability to delegate password
@@ -316,9 +303,6 @@ mechanism and are used to identify the account whose password is to be
 verified. This allows arbitrary mapping between entries in OpenLDAP
 and accounts known to the backend authentication service.
 
-Note: There is no support for changing passwords in the backend
-via {{slapd}}.
-
 It would be wise to use access control to prevent users from changing 
 their passwords through LDAP where they have pass-through authentication 
 enabled.
-- 
GitLab