Hi all,
I'm experiencing some problem between authentication and authorization
through Kerberos and LDAP.
This is my situation:
I can authenticate on LDAP through the option -Y GSSAPI after having
obtained a valid TGT from the KDC.
I have some questions:

Is it possible to authenticate via Kerberos on LDAP without obtaining
prior a ticket (i.e. when i have to authenticate to the LDAP i want
that username/password was asked and then these username/password
allow to obtain the ticket from Kerberos). I'm asking this because i
want that this new mechanism be invisible from a user point of view.
Are there some solution to this problem or I need to implement by
myself a customized client that communicate with kerberos and then
with the ticket to LDAP^???

Another question is about how to map authentication to authorization
in LDAP. The example found was very simple with a flat LDAP, I'm in an
hard situation, with an extremely non-regular LDAP tree, how to find
the correct mapping to the correct identity???

Thanks in advance,