I need tu replace an old NIS with a topnotch OpenLDAP server.
I would like to add SSO support on my brand new architecture.
2 scenarii may occur :
1) Using pam_kerberos to authentaicate against KDC and retreiving
information from LDAP server with SASL.
The backward is that anyone (or anything) that need to authenticate MUST be
2) Having LDAP and Kerberos passwords synced.
Asset : You can authenticate through LDAP or kerberos (pam_ldap required an
pam_kerberos optional) ie you must authenticate against LDAP and if Kerberos
autentication success you get a TGT !
Backward : Two password databases to protect / lot of work on client side /
passwords must be synced (Do you now materials to do it ?).
I add that security is not a major concern for us and we got many OS on
client side that's why the 1st solution may not fit our needs.
Has someone ever experienced the second solution ?
Have you some hints and feedbacks ?