[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap proxy to kerberos

To: openldap-technical@openldap.org
Subject: Re: openldap proxy to kerberos
From: Derek Zhou <derek@shannon-data.com>
Date: Tue, 8 Jan 2019 08:13:43 +0800
Content-disposition: inline
In-reply-to: <CAOHBbgUXsYhqXxWZuQ4=zJKgDeAR4tgBgYax=Po1BcNSbDteFg@mail.gmail.com>
References: <CAOHBbgUXsYhqXxWZuQ4=zJKgDeAR4tgBgYax=Po1BcNSbDteFg@mail.gmail.com>
User-agent: NeoMutt/20170113 (1.7.2)

On Mon, Jan 07, 2019 at 04:18:36PM -0500, vadud3@gmail.com wrote:
> I am using openldap proxy today with ldap backend. 
> 
> Any suggestions on how to use kerberos as the backend?
> 

Kerberos only has infomation necessary for authentication; like principals
and policies. LDAP stores much more, such as group memberships, numerical
uids, home directories, etc. So normally people use both LDAP and Kerberos,
not Kerberos alone. There are 3 ways that Kerberos and LDAP can work
together:

1, LDAP can use Kerberos to authenicate (bind) access
2, LDAP can forward authentication request to kerberos via SASL
3, Kerberos can use LDAP as a database backend

In my organization we are using 1 and 2, but not 3. I think Microsoft AD also
does something similiar under the hood.

References:
- openldap proxy to kerberos
  - From: vadud3@gmail.com

Prev by Date: Re: openldap proxy to kerberos
Next by Date: Re: openldap proxy to kerberos
Index(es):
- Chronological
- Thread