Kerberos Backend for LDAP

John Morris kerberos at
Wed Jun 18 19:17:32 EDT 2003

Howdy, Matthew!

Matthew Smith <matt at> writes:

> Disclaimer: I will admit, right off the bat, that I am not very familiar 
> with OpenLDAP.
> If there was a back-krb5 for OpenLDAP, would an unmodified slurpd be 
> able to replicate the krb info, since slurpd just sees it as LDAP info? 
>   Does slurpd use the LDAP interface for obtaining data to replicate, or 
> does it tie in somewhere behind the scenes?
> -Matt

I'm not an expert either, but here's how I believe that would work:

The back-krb5 interface would query the KDC each time an LDAP query is
made.  If you have redundant LDAP servers, back-krb5 would be
configured to point at whichever KDC is appropriate.  LDAP replication
of the KDC data isn't necessary, since the data isn't stored in
LDAP-native dbs.  Any replication that goes on would be kprop, outside
of the LDAP system.



John Morris

More information about the Kerberos mailing list