[28725] in Kerberos
Re: mit kerberos and openldap
daemon@ATHENA.MIT.EDU (Roberto =?iso-8859-1?Q?C=2E_S=E1nc)
Tue Nov 13 10:30:33 2007
Date: Tue, 13 Nov 2007 10:30:09 -0500
From: Roberto =?iso-8859-1?Q?C=2E_S=E1nchez?= <roberto@connexer.com>
To: kerberos@mit.edu
Message-ID: <20071113153009.GA9949@connexer.com>
MIME-Version: 1.0
In-Reply-To: <200711122055.52441.crypt@sibinco.ru>
Content-Type: multipart/mixed; boundary="===============1519867537=="
Errors-To: kerberos-bounces@mit.edu
--===============1519867537==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz"
Content-Disposition: inline
--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Nov 12, 2007 at 08:55:52PM +0600, Konstantin Verba wrote:
> On Monday 12 November 2007 20:15:12 Roberto C. S=E1nchez wrote:
> > On Mon, Nov 12, 2007 at 08:06:43PM +0600, Konstantin Verba wrote:
> > > Hello, I'm trying to setup Single Sign-On useing mit kerberos and
> > > openldap. I've already have slapd configured and running, and created
> > > kerberos containers in ldap with kdb5_ldap_util. But as I can see, I =
have
> > > two different trees of entities, one is the krbcontainer tree and ano=
ther
> > > is my ou, where I keep test user's account with inetOrgPerson
> > > (structural) objectClass. Problem is I want that user authentificate =
with
> > > kerberos and then get access to uid and other data in ldap. Howto to =
keep
> > > this all together? I've already created mixed object class with
> > > inetorgperson and krbperson as parents, but krbPrincipalName and uid =
are
> > > steel different fields.
> >
> > I accomplished something like what you are describing by not putting any
> > kerberos-related information into LDAP and telling PAM on the clients to
> > autenticate against kerberos and to get everything else from LDAP.
> >
> > Regards,
> >
> > -Roberto
>=20
> In such a case, I don't see any difference between useing separate ldap t=
ree=20
> or not useing ldap at all. I think all the trick you are talking about is=
in=20
> the pam configuration, am I right?=20
>=20
Yes. It is basically telling PAM to look one place for some things and
another place for everything else.
Regards,
-Roberto
--=20
Roberto C. S=E1nchez
http://people.connexer.com/~roberto
http://www.connexer.com
--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHOcMB5SXWIKfIlGQRAjClAJ9xQYmMLNNbULsW+h/bGrt0ZIkXXQCgymyd
coWS77qOkxI3dhK8xURc71M=
=7SVO
-----END PGP SIGNATURE-----
--3V7upXqbjpZ4EhLz--
--===============1519867537==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1519867537==--
