On Mon, Jan 07, 2019 at 04:18:36PM -0500, [email protected] wrote: > I am using openldap proxy today with ldap backend. > > Any suggestions on how to use kerberos as the backend? >
Kerberos only has infomation necessary for authentication; like principals and policies. LDAP stores much more, such as group memberships, numerical uids, home directories, etc. So normally people use both LDAP and Kerberos, not Kerberos alone. There are 3 ways that Kerberos and LDAP can work together: 1, LDAP can use Kerberos to authenicate (bind) access 2, LDAP can forward authentication request to kerberos via SASL 3, Kerberos can use LDAP as a database backend In my organization we are using 1 and 2, but not 3. I think Microsoft AD also does something similiar under the hood.
