Kerberos Questions

[Michael Stanton]

I'm truly a noob when it comes to Kerberos so I apologize in advance if my questions do not make much sense. I'm looking to propose a recommendation for my company to implement Kerberos v5 authentication in combination with LDAP authorization. We are currently using Sun ONE Directory Server  for simple bind authentication and authorization. I would like to know the following:

1) For web applications that currently rely upon LDAP for password info, it is my understanding that implementing Kerberos would require the password field for each user authenticating to the web app to be modified with an entry similar to the following: '{kerberos} joe at kerberosrealm.com,' at which point the Kerberos client would take over authentication. Is this a valid statement? Is it truly transparent to the web apps if the password mechanism is changed from simple bind to Kerberos?

2) Does SASL-GSSAPI using Kerberos provide me with any benefit other than enabling LDAP servers to securely authenticate with one another for replication purposes, or is it also the mechanism that enables the LDAP server to authenticate to KDC, similar to when a client using PAM_krb5 authenticates to KDC when requesting LDAP services ? Does anyone know if Sun One Directory 5.1 or 5.2 come with SASL-GSSAPI plug-in or would I need to purchase the PADL product?

3) Is anyone familiar with Turbo Fredriksson's document "Implementing LDAPv3: OpenLDAP, Kerberos v5 and glue code for distributed data?" Is this the best model for integrating LDAP and Kerberos v5?

Your comments to above are appreciated.

-Mike