I now know that we can make kerberos use openldap as its data store backend, but only with heimdal as our kdc, not mit kerberos.

I have read somewhere that with openldap you can add krb5Principal object class and krb5principalName attribute to your users to allow them to use credentials they get from kerberos to bind to the tree and change stuff.

In such a case would the kerberos db and the open ldap db be seperate? Can we have a setup like this in which both the kerberos db and openldap db are diffrent but we bind to the openldap tree using kerberos credential?

Any help to clarify my concepts in this regard would be appreciated.

Anshuman Hazarika
Mobile 9821434383
Vipassana can change u'r life. Do give it a try.

__________________________________________________ ________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html