Passwords (Kerberos and LDAP)

All accounts have two different passwords associated with them: Kerberos and LDAP. Their usage is explained in the table below. In general, services which grant full filesystem access require your Kerberos password. Other services use LDAP. You should pick different, secure passwords for each.

KerberosLDAP
What is it used for?
  • Logging into Linux
  • Logging into Windows
  • Accessing CIFS
  • Unlocking a locked screen
  • Obtaining Kerberos tickets with kinit
  • Department wikis
  • OpenVPN
  • Postgres database
  • Printing (e.g. lprm command)
  • Jabber IM server
How do you change it? /local/bin/kpasswd /local/bin/ldappasswd

Initial Passwords

All new users are assigned a random Kerberos password which is given to the user when their account is created. New users should use this password to log in for the first time and then immediately change it using the directions below.

New users start out with no LDAP password, which means they can't log into services using LDAP. To set an initial LDAP password, follow the password changing instructions below.

Changing a Password

To change your Kerberos or LDAP password, log into a Linux system, open a shell prompt, and run the command listed in the table above.

To change either password you need to know your current Kerberos password. You do not need to know your current LDAP password to change your LDAP password.

Warning

Your LDAP password is used for a great number of services. If you have it saved in any of your applications and you change it, you will need to reconfigure your applications to remember your new password.

Forgotten Password

Kerberos

Please visit one of our Systems Administrators (CIT 570, 575, or 569) during business hours, locate a SPOC after hours, or email problem@cs.brown.edu to arrange an appointment. You will normally need to present your Brown ID to have your password reset.

LDAP

Simply run the /local/bin/ldappasswd command as described above. You don't need to know your current LDAP password to change it.

Password Requirements

We do our best to follow the CIS password policy. Therefore, we need to enforce the following requirements on Kerberos and LDAP passwords:

After changing your password, you must wait a day before changing it again.

Why Two Passwords?

For security. Although a compromise of either password would be bad, a compromise of your Kerberos password would be worse, since it would allow an attacker to log in and access the filesystem. Also, note that your LDAP password is likely to be entered over the web making it inherently more vulnerable than your Kerberos password.