Kerberos & LDAP
Jaap Winius
jwinius at umrk.nl
Thu Jan 14 10:09:14 EST 2010
On Thu, 14 Jan 2010 12:11:38 +0530, Prasad (普拉萨德) wrote:
> Is that possible If I add the user in Kerberos will automatically add
> the user in LDAP too. Because I am using Kerberos as a FrontEnd and LDAP
> as Backend. So that I can sync both the passwords.
That's not what you want to do. The idea is to integrate Kerberos and
LDAP so that the user account names in LDAP match those of the principals
in Kerberos, but that the passwords are only stored in Kerberos -- not in
LDAP. Users must then authenticate to Kerberos before they are authorized
by, and given access to, the LDAP database.
New users must be given a full Kerberos account (with a password), as
well as a matching LDAP account (without a password). The process can be
automated with a script using the kadmin and ldapadd commands. This is my
current understanding, although I must admit that I have yet to write
such a script myself. Still, it doesn't look too hard.
If you're interested, I've written a few pages on this subject, although
it's still a work in progress:
http://www.rjsystems.nl/en/2100.php
The bits about the chain overlay are either incomplete or incorrect, and
I have yet to produce an "OpenLDAP client with MIT Kerberos V" page.
Cheers,
Jaap
More information about the Kerberos
mailing list