[Date Prev][Date Next] [Chronological] [Thread] [Top]

Migrating from local LDAP auth to LDAP+kerberos


I like kerberos - been using it for years at other sites.

New job - have LDAP, no kerberos.

I'd like to backend the existing LDAP server with kerberos - I have some hope as I've just ready this excellent article:


(free registration needed)

Traditionally, I would have probably have made LDAP open for browsing (no auth) and adapted PAM on the clients to do auth via kerberos.

However, I have a load of apps here that only know how to talk and auth against LDAP.

Am I right in thinking:

1) Once LDAP is backended with kerberos, that "LDAP authentication" can take place using either a) plain password via LDAP which auths to kerberos; b) GSSAPI (ie using a client side kerberos ticket from a previous kinit)

2) Can I migrate users piecemeal, eg remove their LDAP psswords one by one and (possibly tweaking something on the LDAP directory) have those users auth through to kerberos, while other users auth to the LDAP directory, until everyone is moved?

Please excuse the dumbness - I know kerberos, I am just learning LDAP.

Or is this going to have to be a big-bang switchover?



Tim Watts
Personal Blog: http://www.dionic.net/tim/