Kerberos + LDAP + Cyrus-SASL woes

James Hunt james at oicgroup.net
Wed May 26 17:50:58 EDT 2004


We are looking to integrate Kerberos with LDAP and PAM (facilitating
communication between Kerberos and LDAP using Cyrus-SASL) on Linux.  On
our own, and using documentation found on the web, we have managed to
implement it partially.

What we have so far:
	A working LDAP server that we can bind to and query.
	A working kerberos KDC that is issuing tickets.
	A PAM setup that has moved the UNIX authentication (/etc/passwd) into
LDAP.

The final product would provide central user authentication (the
Kerberos KDC) and user account management (LDAP), thus providing many of
the services of a Windows Active Directory server.  What we are stuck on
is not so much a configuration or software issue as it is a conceptual
snag.  Where should Kerberos tickets (and possibly keytabs) be stored to
interoperate with LDAP?  How is LDAP supposed to contact the KDC and
receive a ticket?  Is the user supposed to run kinit -f upon login?

Our company, the OIC Group, is looking for someone who really knows
Kerberos and LDAP inside and out, and is willing to lend a hand, either
as a consultant, or a contract system administrator.  OIC is willing to
pay for services rendered.  Our only requirement is that the working
implementation / configuration be well-documented for future reference.

Any help / direction / guidance is greatly appreciated.

James Hunt,
Senior Programmer
OIC Group, Inc.
http://www.oicgroup.net/



More information about the Kerberos mailing list