[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ldap backend question


--- Howard Chu <hyc@highlandsun.com> wrote:

> But there is a way to have an LDAP
> server use the 
> Kerberos key for regular LDAP Binds.

How about a way to have ldap's 'userid or uid'
pointing to his mapped kerberos' principal entry??? It
would be cumbersome for us to create a kerberos
principal entry first then create another duplicate
entry(username/id) in LDAP. Although, I have managed
to synchronize their passwords thru kerberos passthru
using {SASL} but not their userid/uid. If this can be
made possible then I guess we could have our own
version of opensource Active Directory like that of
Microsoft's. We wanted to use ldap because each users
have more attributes than just having only username
and passwords, and we need those attributes for other
purposes. Also, some programs doesn't support 'real'
kerberos authentication but just plain ldap.
Or is it advisable to just implement it on the
client's side?? For example, we have a qmail-ldap
installation which uses user's uid/userPassword for
authentication. If only I am capable of forcing it to
use a converted|mapped
krb5PrincipalName=principal@OURREALM attribute in
place of userid then I would definitely go that way.

> -- 
>    -- Howard Chu
>    Chief Architect, Symas Corp. 
> http://www.symas.com
>    Director, Highland Sun       
> http://highlandsun.com/hyc
>    OpenLDAP Core Team           
> http://www.openldap.org/project/

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around