LDAP + Kerberos grouping/password

Douglas E. Engert deengert at anl.gov
Fri Dec 19 10:59:56 EST 2008

Mathew Rowley wrote:
> Do you have to sync passwords between Kerberos and LDAP if I am using LDAP
> for user specific information?  For example, if I ssh to a box, I want it to
> authenticate with kerberos, but get the gid/uid/shell/homedir from LDAP.  Is
> there a way to specify the LDAP PAM module to not to auth against LDAP, just
> get the user information?

Not clear why you want to sync passwords. If you want to use Kerberos
for authentication, don't authenticate to LDAP, and don't use the
passwords. Depending on your OS, you can have them set to NP or *NP*
so they can't be used.

So don't use the pam_ldap. Let nsswitch find ldap for getting the
rest of the info and use pam_krb5.

> Thanks.


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list