ldap-backend with kerberos

Michael Ströder michael at stroeder.com
Wed Sep 16 09:16:39 EDT 2009

Julian Thomé wrote:
> Now we want new users to be automatically available as kerberos principals.
> We want to create our user-accounts directly in LDAP. For each user
> created in the ldap we need a kerberos principal with the same password
> of his unix-account.

Yes, I understand that quite well.

> For authentification kerberos should be used.
> Is it possible (with the smbk5pwd-Module),  to give newly created
> ldap-entries (posixAccounts) a kerberos-password automatically ??

As already said:

> Michael Ströder wrote:
>> OpenLDAP's slapo-smbk5pwd only works with heimdal since currently
>> heimdal's and MIT's LDAP backends use different LDAP schema.

Again: Yes, it is possible with heimdal as KDC. But not with MIT Kerberos.
slapo-smbk5pwd intercepts and handles the Password Modify extended operation
request. So you have to use that instead of simple modify request when setting
the password.

Ciao, Michael.

More information about the Kerberos mailing list