Having been down this road, I can tell the you with complete confidence
that... it depends.
If the LDAP server is Active Directory, you can use LDAP or AD for
authentication, and they'll both work with the same password.
If you're using OpenLDAP and MIT Kerberos, it's a bit more of a problem,
since you essentially end up with two sets of passwords, which is not
If you're using PAM for everything, it's easier to get everything to use
that instead. That way, you get SSO where applications support it, and
where the don't, they still use the Kerberos back end via PAM. I did this
for email, where none of the installed software supported Kerberos SSO.
Once Kerberos was working properly (my fault, I explicitly ignored some of
the strongly worded reccomendations in the admin mannual) it was pretty
darn near bullet proof.
The problem child is various applications that only support an LDAP
backend, and can't be changed to use Kerberos directly.
OpenLDAP used to have this thing where a given entry could contain a
kerberos principle, and would do the look up for you. This has been
removed for some reason, and now you have to use a saslauthd daemon.
I strongly reccomend you don't use the CyrusSASL saslauthd daemon if you
can avoid it. I'll say no more hear, my views on CyrusSASL are mostly
unprintable. I never did manage to get it working with Kerberos though.
I've had good luck with using the Dovecot sasl daemon with postfix, so
it's very likely possible to do the same with LDAP. This is probably an
abomination and 'the wrong thing to do', but it works without large
amounts of head beating. Under Debian/Ubuntu, it's possible to only
install the dovecot-common package, without the imapd/pop3d parts,
although I haven't actually tried this.
The other possible option is to patch all your password changing utilities
to change multiple passwords. I've found that it works, until you need to
change something, and then breaks all over again.
Hope this is helpful,
> Hi All
> There is a Ldap server which store many user serving the authentication in
> my company. Now, I set up a Kerberos server to implement single-sign-on
> mechanism, after that I see some idea about Kerberos and LDAP backend. It
> is great, I deploy it successfully on test server. But now, there is a
> thing I confuse: After using the LDAP-backend, can I use Kerberos to
> authenticate some services (SSH for example), LDAP to authenticate others
> services (FTP, HTTP, ... for example), and all attributes of user
> (cn,userPassword,... for example) to other usage, but user can change
> password by kpasswd tool ?
> Have anyone experienced this situation ? Please give me some idea and how
> to implement it.
> Thank you,
> Hung Ta
> Kerberos mailing list Kerberos@mit.edu
Kerberos mailing list Kerberos@mit.edu