Hi Quanah, thanks again for your answer. ii libsasl2-modules-gssapi-mit 2.1.22.dfsg1-18ubuntu2 \\ Cyrus SASL - pluggable authentication module I see the difference, but still have some questions: - In the first approach, the user already has a TGT and asks the KDC for a "ldap/fqdn@REALM-ticket"? This is done by ldapsearch, not by slapd? Hence, slapd "only" needs access to its keytab to be able to decrypt the clients messages? - And in the second one, the user provides username and password (plain), slapd converts the username into a principle (user@REALM) and forwards this to saslauthd? So this should be secured via TLS? I'm just looking for a setup that restricts access to LDAP to authenticated users (except, of course, information neccessary for authentication purposes). I need to use Kerberos for authentication, because I want to use NFSv4. There used to be a well-known howto for all this at http://www.bayour.com/LDAPv3-HOWTO.html but the site is offline for some days now. Thanks again for your help, Hauke --