This is a discussion on Re: mit kerberos and openldap - Kerberos ; On Mon, Nov 12, 2007 at 08:55:52PM +0600, Konstantin Verba wrote: > On Monday 12 November 2007 20:15:12 Roberto C. Sánchez wrote: > > On Mon, Nov 12, 2007 at 08:06:43PM +0600, Konstantin Verba wrote: > > > Hello, I'm ...
On Mon, Nov 12, 2007 at 08:55:52PM +0600, Konstantin Verba wrote:
> On Monday 12 November 2007 20:15:12 Roberto C. Sánchez wrote:
> > On Mon, Nov 12, 2007 at 08:06:43PM +0600, Konstantin Verba wrote:
> > > Hello, I'm trying to setup Single Sign-On useing mit kerberos and
> > > openldap. I've already have slapd configured and running, and created
> > > kerberos containers in ldap with kdb5_ldap_util. But as I can see, I have
> > > two different trees of entities, one is the krbcontainer tree and another
> > > is my ou, where I keep test user's account with inetOrgPerson
> > > (structural) objectClass. Problem is I want that user authentificate with
> > > kerberos and then get access to uid and other data in ldap. Howto to keep
> > > this all together? I've already created mixed object class with
> > > inetorgperson and krbperson as parents, but krbPrincipalName and uid are
> > > steel different fields.
> > I accomplished something like what you are describing by not putting any
> > kerberos-related information into LDAP and telling PAM on the clients to
> > autenticate against kerberos and to get everything else from LDAP.
> > Regards,
> > -Roberto
> In such a case, I don't see any difference between useing separate ldap tree
> or not useing ldap at all. I think all the trick you are talking about isin
> the pam configuration, am I right?
Yes. It is basically telling PAM to look one place for some things and
another place for everything else.
Roberto C. Sánchez
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----