KDC with openldap backend, ldap replication, can it chase referrals?
Andreas Hasenack
andreas at canonical.com
Wed Apr 15 11:30:24 EDT 2020
Hello,
On Wed, Apr 15, 2020 at 12:23 PM Dan Mahoney (Gushi)
<danm at prime.gushi.org> wrote:
> I may have asked this in the past, but I'll ask it again since LDAP came
> up. We have an existing Kerberos domain, but we don't use LDAP at all (we
> just use puppet to handle things like user creation on servers.
>
> Specifically, we don't do active directory for any client workstations and
> don't run windows in general -- our users own their own machines, so
> there's no tie-in. It's hundreds of servers, probably ~30 users.
>
> I see a way to do kerberos with an LDAP backend, but not the opposite.
> I'd like to "Add" openLDAP to my existing KDC, or deploy openLDAP but have
> it use the KDB for authentication. (Where openLDAP would continue to do
> "authorization", but some machines would be kerberos-only and have no
> dependence on any LDAP systems). I don't want to have to re-key hundreds
> of systems.
Sorry, I don't understand what you mean by "add openldap to existing
kdc". You can add the openldap service to your kerberos realm and have
your users authenticate against your openldap server using kerberos,
just like any other kerberized service.
More information about the Kerberos
mailing list