Subject: | |
From: | |
Reply To: | |
Date: | Mon, 7 Nov 2005 11:23:30 -0600 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
I want to have my Linux users authenticate with Kerberos against a Windows
domain and have LDAP provide the remaining user info. Our staff all have
accounts in our lab-wide Windows domain. By defining the default realm as
the lab-wide realm in krb5.conf, I can do exactly what I want.
However, in addition to the lab-wide Windows domain, each division here at
ANL has a Windows child domain. For visitors to our division, we create
accounts locally for them on our child domain. In SL3.0x which featured
OpenLDAP-2.0, RedHat provided a kerberos object schema that defined the
attribute krbName. I used this to map the LDAP uid to a kerberos principal.
This way I could switch on a per-user basis, the domain with which the user
would authenticate. This schema has apparently been removed with SL 4.1
and OpenLDAP-2.2. I can no longer switch the authentication domain per
user. I was wondering if folks have encountered this problem and if they've
figured out a work-around.
I could have our visitors authenticate directly with the LDAP server, but I
was hoping to integrate authentication in the Linux world with the Windows
world. One fewer password to remember.
Ken
|
|
|