Re: MIT Kerberos LDAP backend

Douglas E. Engert wrote:
Not sure what you mean here as you have responded to Ken that its
not the KDC access to its data stored in LDAP that you are interested
in.

I think maybe some wires have been crossed, and I have not described what the issues are as well as I may have liked. We do want to use the KDC, but for it to access our pre-existing data in LDAP, but not write anything there.

Currently our route for authenticating users for various things (online mostly) is to authenticate against LDAP. Our user data is actually in Novell eDirectory, but the LDAP interface is the preferred method for access.

However we have a long term plan of rolling out an SSO service, and thought Kerberos would be best suited as there seems to be many Kerberos aware systems, and we may in the long term be moving to Active Directory (and ADFS) which I believe is (sort of) Kerberos which would give us an even greater scope of using Kerberos including for system logins.

So what we would have liked is for a web-based user to go to one of our web applications that requires authentication and for them to authenticate in a way that ends up with them having a valid Kerberos ticket somehow for other Kerberos aware applications, so they don't get asked for user/pass again in a session.

And we had hoped this could be achieved without having to create a duplication of all our user data into a Kerberos specific database, or for Kerberos to require to add any data to our LDAP server since it's basically read-only as it's populated from elsewhere.

From what I read of the Kerberos LDAP backend plugin, is that it can't
just be configured to look at our existing LDAP server and it's associated structure when a user tries to login to something via Kerberos, and use its own non-LDAP database for tickets and whatever other information is needed.

--
John Gilbertson
The University of Liverpool
.

Relevant Pages

  • Re: Need help for AFS+K5+LDAP
    ... I'd suggest getting Kerberos authentication to work for local accounts ... And then try to get LDAP working. ... to enable getting AFS tokens at login, ... >> What I'd like to do is letting our users authenticate over mit kdc, ...
    (comp.unix.aix)
  • Re: Authenticating LDAP connection with current windows users credentials?
    ... setup and theory behind an ldap ... The Kerberos only works with ADS right now but that is sufficient for your situation. ... when the user has logged in interactively and therefore has a valid Kerberos ticket cached in Windows logon credential cache. ... CallbackHandler callbackHandler = new KerbCallback; ...
    (comp.lang.java.programmer)
  • RE: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP.
    ... authorizing against OpenLDAP. ... but I got it to work so the XP workstations authenticate ... and then used MIT Kerberos on the desktops to ... same LDAP database, the user only had one password, and was ...
    (comp.protocols.kerberos)
  • Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?
    ... (Specified realm `persona.de' not allowed by configuration) ... I recommend steering this thread back onto the kerberos mailing list. ... So what you're saying is that users do not know their userPrincipalName ... You could split the name and do an LDAP search on sAMAccountName=abaker ...
    (comp.protocols.kerberos)
  • Re: Kerberos Confusion / Design Questions
    ... > I'm planning on deploying Sun-Kerberos with LDAP I have a few design ... > server via gssapi-keyex SSO and other servers can log back into my ... > that is puzzling me is how to handle Kerberos access, ... > authentication will basically be provided through LDAP at this point ...
    (comp.protocols.kerberos)