I want to have my Linux users authenticate with Kerberos against a Windows
domain and have LDAP provide the remaining user info.  Our staff all have
accounts in our lab-wide Windows domain.  By defining the default realm as
the lab-wide realm in krb5.conf, I can do exactly what I want.

However, in addition to the lab-wide Windows domain, each division here at
ANL has a Windows child domain.  For visitors to our division, we create
accounts locally for them on our child domain.  In SL3.0x which featured
OpenLDAP-2.0, RedHat provided a kerberos object schema that defined the
attribute krbName.  I used this to map the LDAP uid to a kerberos principal.
This way I could switch on a per-user basis, the domain with which the user
would authenticate.  This schema has apparently been removed with SL 4.1
and OpenLDAP-2.2.  I can no longer switch the authentication domain per
user.  I was wondering if folks have encountered this problem and if they've
figured out a work-around.

I could have our visitors authenticate directly with the LDAP server, but I
was hoping to integrate authentication in the Linux world with the Windows
world.  One fewer password to remember.

Ken