[Date Prev][Date Next]
Migrating from local LDAP auth to LDAP+kerberos
I like kerberos - been using it for years at other sites.
New job - have LDAP, no kerberos.
I'd like to backend the existing LDAP server with kerberos - I have some
hope as I've just ready this excellent article:
(free registration needed)
Traditionally, I would have probably have made LDAP open for browsing
(no auth) and adapted PAM on the clients to do auth via kerberos.
However, I have a load of apps here that only know how to talk and auth
Am I right in thinking:
1) Once LDAP is backended with kerberos, that "LDAP authentication" can
take place using either a) plain password via LDAP which auths to
kerberos; b) GSSAPI (ie using a client side kerberos ticket from a
2) Can I migrate users piecemeal, eg remove their LDAP psswords one by
one and (possibly tweaking something on the LDAP directory) have those
users auth through to kerberos, while other users auth to the LDAP
directory, until everyone is moved?
Please excuse the dumbness - I know kerberos, I am just learning LDAP.
Or is this going to have to be a big-bang switchover?
Personal Blog: http://www.dionic.net/tim/