[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP and optional kerberos ?

To: openldap-technical@openldap.org
Subject: OpenLDAP and optional kerberos ?
From: "Nicolas GRENECHE" <nicolas.greneche@gmail.com>
Date: Sat, 29 Dec 2007 17:45:14 +0100

Hi all,

I need tu replace an old NIS with a topnotch OpenLDAP server.
I would like to add SSO support on my brand new architecture.

2 scenarii may occur :
1) Using pam_kerberos to authentaicate against KDC and retreiving information from LDAP server with SASL.
The backward is that anyone (or anything) that need to authenticate MUST be kerberos aware.
2) Having LDAP and Kerberos passwords synced.
Asset : You can authenticate through LDAP or kerberos (pam_ldap required an pam_kerberos optional) ie you must authenticate against LDAP and if Kerberos autentication success you get a TGT !
Backward : Two password databases to protect / lot of work on client side / passwords must be synced (Do you now materials to do it ?).

I add that security is not a major concern for us and we got many OS on client side that's why the 1st solution may not fit our needs.

Has someone ever experienced the second solution ?
Have you some hints and feedbacks ?

Thx,

Nico

Follow-Ups:
- Re: OpenLDAP and optional kerberos ?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: ldap_set_option/ldap_bind_s segfaults
Next by Date: Re: OpenLDAP and optional kerberos ?
Index(es):
- Chronological
- Thread