Using LDAP in place of .k5login

Jos Backus jos at
Tue Oct 2 23:03:32 EDT 2007

On Wed, Oct 03, 2007 at 12:29:00AM +0100, Simon Wilkinson wrote:
> >Does anyone have any mods to use LDAP to store the auth_to_local
> >database? 
> Somewhere or another I've got patches allowing this to be deferred to a
> daemon that's contacted through a Unix socket (library provides principal
> and username, dameon says yes or no). I never really got past prototyping
> this as a proof of concept, and we've never got round to using it in
> production, but I can dig out the code if anyone is interested. In the case
> you're discussing it would allow the LDAP lookups to be performed
> 'out-of-process'.
This sounds interesting. In the solution I am envisioning, this daemon would
take the hostname, principal and username and return whether the mapping is
valid or not, i.e. whether that principal can log into that user at hostname.
This then would somehow end up back in the app through krb5_kuserok().

(Btw, it sounds like this could also be implemented using a centralized
authorization server.)

Am I understanding correctly?

Jos Backus
jos at

More information about the Kerberos mailing list