Kerberos & LDAP

Jaap Winius jwinius at umrk.nl
Thu Jan 14 10:09:14 EST 2010


On Thu, 14 Jan 2010 12:11:38 +0530, Prasad (普拉萨德) wrote:

> Is that possible If I add the user in Kerberos will automatically add
> the user in LDAP too. Because I am using Kerberos as a FrontEnd and LDAP
> as Backend. So that I can sync both the passwords.

That's not what you want to do. The idea is to integrate Kerberos and 
LDAP so that the user account names in LDAP match those of the principals 
in Kerberos, but that the passwords are only stored in Kerberos -- not in 
LDAP. Users must then authenticate to Kerberos before they are authorized 
by, and given access to, the LDAP database.

New users must be given a full Kerberos account (with a password), as 
well as a matching LDAP account (without a password). The process can be 
automated with a script using the kadmin and ldapadd commands. This is my 
current understanding, although I must admit that I have yet to write 
such a script myself. Still, it doesn't look too hard.

If you're interested, I've written a few pages on this subject, although 
it's still a work in progress:

   http://www.rjsystems.nl/en/2100.php

The bits about the chain overlay are either incomplete or incorrect, and 
I have yet to produce an "OpenLDAP client with MIT Kerberos V" page.

Cheers,

Jaap



More information about the Kerberos mailing list