MIT Kerberos LDAP backend
Douglas E. Engert
deengert at anl.gov
Thu Nov 8 10:14:23 EST 2007
John Gilbertson wrote:
> Roberto C. Sánchez wrote:
> > I don't think that write access is a requirement. That is, I have not
>> had to implement it like that. Here is the HOWTO I followed (more or
>> less):
>>
>> http://aput.net/~jheiss/krbldap/howto.html
>
> Thanks for the link, but I'm not sure if that will do what we need.
> We're not looking to replace NIS or the like,
If you did, search for nss-ldap.
> just add Kerberos as an
> authentication route for various programs with Kerberos support.
> The documentation is a touch vague about what each part is being used
> for, or how things actually talk to each other, I can't find the part
> where Kerberos and LDAP will actually communicate in any way.
If you are trying to authenticate ldap client to ldap server using Kerberos,
search for SASL and GSSAPI.
>
> We have an LDAP tree with all our user info in, and want to be able to
> use programs which only know Kerberos to be able to authenticate against
> the data in LDAP.
Not sure what you mean here as you have responded to Ken that its
not the KDC access to its data stored in LDAP that you are interested in.
Kerberos does authentication. LDAP can be used for authentication using
passwords stored in LDAP, but is also used for authorization. So using pam_krb5
with nss-ldap can work well for login.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list