mit kerberos and openldap

Roberto C. Sánchez roberto at connexer.com
Tue Nov 13 10:30:09 EST 2007


On Mon, Nov 12, 2007 at 08:55:52PM +0600, Konstantin Verba wrote:
> On Monday 12 November 2007 20:15:12 Roberto C. Sánchez wrote:
> > On Mon, Nov 12, 2007 at 08:06:43PM +0600, Konstantin Verba wrote:
> > >  Hello, I'm trying to setup Single Sign-On useing mit kerberos and
> > > openldap. I've already have slapd configured and running, and created
> > > kerberos containers in ldap with kdb5_ldap_util. But as I can see, I have
> > > two different trees of entities, one is the krbcontainer tree and another
> > > is my ou, where I keep test user's account with inetOrgPerson
> > > (structural) objectClass. Problem is I want that user authentificate with
> > > kerberos and then get access to uid and other data in ldap. Howto to keep
> > > this all together? I've already created mixed object class with
> > > inetorgperson and krbperson as parents, but krbPrincipalName and uid are
> > > steel different fields.
> >
> > I accomplished something like what you are describing by not putting any
> > kerberos-related information into LDAP and telling PAM on the clients to
> > autenticate against kerberos and to get everything else from LDAP.
> >
> > Regards,
> >
> > -Roberto
> 
> In such a case, I don't see any difference between useing separate ldap tree 
> or not useing ldap at all. I think all the trick you are talking about is in 
> the pam configuration, am I right? 
> 
Yes.  It is basically telling PAM to look one place for some things and
another place for everything else.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20071113/30d7b40c/attachment.bin


More information about the Kerberos mailing list