Integrating Kerberos with LDAP

[Sean Elble]

> On Jun 18, 2016, at 6:59 AM, Aneela Saleem <aneela at platalytics.com> wrote:
> 
> Hi,
> 
> I'm new to Kerberos. I have configured it successfully. I can add
> principals and authenticate that principals well. Now i was to import
> users from LDAP. And there are some confusions regarding it.
> 
> How the authentication would be managed in the case we want user management
> through LDAP and authentication through Kerberos? How would we map
> principals to LDAP users and vice versa? I have been looking into this for
> many days but i'm still not satisfied. Looking for suitable answers.

It depends on what exactly you're doing.  If we're talking about Linux/UNIX boxes using Kerberos and LDAP, you would have configured pam_krb5 for the authentication portion, and used nss_ldap for the user/group lookups (via /etc/nssswitch.conf or similar).  With sssd, you can configure it to handle both Kerberos and LDAP pieces.

Are you user names in Kerberos not the same as the user names as exist in LDAP?  If you're new to Kerberos, I'm guessing you only have the one realm, which makes it quite simple--a user name (e.g., jsmith) would simply map to your principal name (e.g., jsmith at EXAMPLE.COM).

Mixing LDAP and Kerberos really isn't that difficult.  The only bit of difficulty I've experienced with the two is when you want to use Kerberos to authenticate to LDAP itself, and that's where you'd potentially have to do some mapping for ACLs (and play with SASL, etc.).  It's been a few years since I've done that, but when moving from a CentOS 5 box to a CentOS 7 box around a year ago, it hadn't seemed to change much.

> 
> Thanks.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>