kinit failure with Kerberos and LDAP backend

Booker Bense bbense at
Fri Oct 26 12:22:53 EDT 2012

> There are additional attributes for the ou=People.
> At the moment we're still using NIS and AFS on our linux systems. I want
> the LDAP to provide a NIS replacement and authenticate via AFS and/or
> KRB5 so I can gradually move our systems to KRB5. AFS, KRB5 and LDAP
> will be provisioned from an identity management system in the near
> future and I'm trying to provide the infrastructure for our systems.

Do yourself a big favor and put kerberos entities in ou=Accounts.
There is not a one to one
relationship between accounts and people and you will make your life
much easier in the
future if you clearly make the split now.

If you are going to use your ldap server only for a NIS replacement,
then you might
get by with just one ou. But that really limits where you can go in the future.

- Booker C. Bense

More information about the Kerberos mailing list