[31921] in Kerberos
Re: Kerberos & LDAP
daemon@ATHENA.MIT.EDU (Jaap Winius)
Thu Jan 14 14:17:04 2010
From: Jaap Winius <jwinius@umrk.nl>
MIME-Version: 1.0
Date: 14 Jan 2010 15:09:14 GMT
Message-ID: <4b4f339a$0$2039$e4fe514c@dreader16.news.xs4all.nl>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, 14 Jan 2010 12:11:38 +0530, Prasad (普拉萨德) wrote:
> Is that possible If I add the user in Kerberos will automatically add> the user in LDAP too. Because I am using Kerberos as a FrontEnd and LDAP> as Backend. So that I can sync both the passwords.
That's not what you want to do. The idea is to integrate Kerberos and LDAP so that the user account names in LDAP match those of the principals in Kerberos, but that the passwords are only stored in Kerberos -- not in LDAP. Users must then authenticate to Kerberos before they are authorized by, and given access to, the LDAP database.
New users must be given a full Kerberos account (with a password), as well as a matching LDAP account (without a password). The process can be automated with a script using the kadmin and ldapadd commands. This is my current understanding, although I must admit that I have yet to write such a script myself. Still, it doesn't look too hard.
If you're interested, I've written a few pages on this subject, although it's still a work in progress:
http://www.rjsystems.nl/en/2100.php
The bits about the chain overlay are either incomplete or incorrect, and I have yet to produce an "OpenLDAP client with MIT Kerberos V" page.
Cheers,
Jaap________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
