Single ldap installation with users from multiple realms... or possibly failover from one realm to the next

Chris McClimans Chris.McClimans at ttu.edu
Fri Apr 2 10:47:00 EST 2004


I've got an interesting dilema. I've got users from two kerberos 
realms... one of them is under my control and the other is an active 
directory under control of central IT. They won't modify the AD to have 
any useful unix attributes, so I'm stuck building my own ldap solution. 
Is there a way I can use a combination of nss_ldap and something like 
libpam_krb5/libpam_ldap to achive the following for local logins? I 
don't think it is an issue if they already have a TGT.

login: localuser
password for localuser at LOCALREAM:

for users with krb5PrincipalName/userPasswd in our localrealm and:

login: remoteuser
password for remoteuser at REMOTEREALM:

for users with in the remote/central realm?

I'd actually love to find a way to try someuser at LOCALREALM first then 
try someuser at REMOTEREALM second, but I'm not seeing a clear path 
without writing my own pam module.

For clarity here's the example users:

dn: uid=localuser,ou=People,dc=localrealm
uid: localuser
cn: Local Users
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: shadowAccount
krb5PrincipalName: localuser at LOCALREALM
loginShell: /bin/bash
uidNumber: 1118
gidNumber: 200
homeDirectory: /afs/localrealm/user/localuser
gecos: Local User
userPassword:: e0tFUkJFUk9TfW1jY2xpbWFuQENTLlRUVS5FRFU= (actually 
{KERBEROS}localuser at LOCALREALM)

dn: uid=remoteuser,ou=People,dc=localrealm
uid: remoteuser
cn: Remote User
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: shadowAccount
krb5PrincipalName: remoteuser at REMOTEREALM
loginShell: /bin/bash
uidNumber: 1119
gidNumber: 200
homeDirectory: /afs/localrealm/user/remoteuser
gecos: Remote User
userPassword:: e0tFUkJFUk9TfW1jY2xpbWFuQENTLlRUVS5FRFU= (actually 
{KERBEROS}remoteuser at REMOTEREALM)



More information about the Kerberos mailing list