On Wednesday, 8 February 2012 01:22:33 Jean-Luc Wasmer wrote: > Hi, > > The user db on my system is stored in LDAP and integrated with PAM and NSS. > The LDAP db also contain address book data for each user. I would like to > be able to call ldap utilities (e.g. ldapsearch) without having the user > to enter his/her password everytime. I would also like for scripts running > as those users to have access to the respective LDAP entries. I noticed > ldapsearch supports SASL binds, so I was wondering if that could be used > in conjunction with Kerberos to accomplish my goal
Yes. > (from what I > understand, the kinit command would have to be called before ldapsearch). You would need to have a TGT. In a Kerberos environment, you should normally have things in place to ensure this (e.g. pam_krb5 for auth and session would accomplish getting an initial TGT on a login session). > Is there any other way to do this? There are other SASL mechs that may be of use, but also require other infrastructure or credential distribution. Kerberos/GSSAPI has other advantages as well, due to wide support/adoption. Regards, Buchan
