I need tu replace an old NIS with a topnotch OpenLDAP server.
I would like to add SSO support on my brand new architecture.
2 scenarii may occur :
1) Using pam_kerberos to authentaicate against KDC and retreiving information from LDAP server with SASL.
The backward is that anyone (or anything) that need to authenticate MUST be kerberos aware.
2) Having LDAP and Kerberos passwords synced.
: You can authenticate through LDAP or kerberos (pam_ldap required an
pam_kerberos optional) ie you must authenticate against LDAP and if
Kerberos autentication success you get a TGT !
Backward : Two password databases to protect / lot of work on
client side / passwords must be synced (Do you now materials to do it
I add that security is not a major concern for us and we got
many OS on client side that's why the 1st solution may not fit our
Has someone ever experienced the second solution ?
Have you some hints and feedbacks ?