On Mon, Nov 12, 2007 at 08:55:52PM +0600, Konstantin Verba wrote:
> On Monday 12 November 2007 20:15:12 Roberto C. Sánchez wrote:
> > On Mon, Nov 12, 2007 at 08:06:43PM +0600, Konstantin Verba wrote:
> > > Hello, I'm trying to setup Single Sign-On useing mit kerberos and
> > > openldap. I've already have slapd configured and running, and created
> > > kerberos containers in ldap with kdb5_ldap_util. But as I can see, I have
> > > two different trees of entities, one is the krbcontainer tree and another
> > > is my ou, where I keep test user's account with inetOrgPerson
> > > (structural) objectClass. Problem is I want that user authentificate with
> > > kerberos and then get access to uid and other data in ldap. Howto to keep
> > > this all together? I've already created mixed object class with
> > > inetorgperson and krbperson as parents, but krbPrincipalName and uid are
> > > steel different fields.

> >
> > I accomplished something like what you are describing by not putting any
> > kerberos-related information into LDAP and telling PAM on the clients to
> > autenticate against kerberos and to get everything else from LDAP.
> >
> > Regards,
> >
> > -Roberto

>
> In such a case, I don't see any difference between useing separate ldap tree
> or not useing ldap at all. I think all the trick you are talking about isin
> the pam configuration, am I right?
>

Yes. It is basically telling PAM to look one place for some things and
another place for everything else.

Regards,

-Roberto

--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHOcMB5SXWIKfIlGQRAjClAJ9xQYmMLNNbULsW+h/bGrt0ZIkXXQCgymyd
coWS77qOkxI3dhK8xURc71M=
=7SVO
-----END PGP SIGNATURE-----