> (a) use mod_auth_ldap for auth, with ldap pointed at a krb5 keytab
> containing authorized principals' credentials,
>
> or,
>
> (b) use mod_auth_krb5 for auth, with ldap setup as krb5's backend db, e.g.,
> dbmodule:db_library = kldap

auth_ldap does not give you credential but password authentication,
and does not require a keytab.

auth_krb5 allows you password and credential (GSSAPI) auth. password
auth does not strictly require a keytab (you need do disable kdcverify
option or a similar one). GSSAPI auth is probably what you want, as
gives secure auth without SSL, and allows real single sign on. But you
need to configure the browsers. For IE, you must add the site to
"Intranet sites" (or something alike), and with firefox you need to go
through the about:config, searching for negotiate.

Hope this helps,

JaviP

P.S.: You don't strictly require ldap for this setup. Is at your
option to backend kerberos on LDAP, but if your next step is to use
ldap group membership for authorization, I didn't try that