What if i don't have configured pam, sssd, nss_ldap. Can i simulate LDAP users authentication? Means everytime a user is created in LDAP we manually add its principal in Kerberos. Is it fine to do this?
On Sun, Jun 19, 2016 at 12:33 AM, Aneela Saleem <ane...@platalytics.com> wrote: > Thanks for the response. > > I have actually all my users in LDAP and I'm trying to achieve Kerberos to > authenticate to LDAP users. I learnt pam_krb5, nss_ldap etc are used for > authentication and all the related mappings. But i don't know exactly > whether i need all these things or not. Since i'm using Ubuntu and i > actually want to use Kerberos for Hadoop, to authenticate users to access > Hadoop File System. Please guide me how can i achieve this. > > Thanks > > On Sat, Jun 18, 2016 at 10:50 PM, Sean Elble <elb...@sessys.com> wrote: > >> >> > On Jun 18, 2016, at 6:59 AM, Aneela Saleem <ane...@platalytics.com> >> wrote: >> > >> > Hi, >> > >> > I'm new to Kerberos. I have configured it successfully. I can add >> > principals and authenticate that principals well. Now i was to import >> > users from LDAP. And there are some confusions regarding it. >> > >> > How the authentication would be managed in the case we want user >> management >> > through LDAP and authentication through Kerberos? How would we map >> > principals to LDAP users and vice versa? I have been looking into this >> for >> > many days but i'm still not satisfied. Looking for suitable answers. >> >> It depends on what exactly you're doing. If we're talking about >> Linux/UNIX boxes using Kerberos and LDAP, you would have configured >> pam_krb5 for the authentication portion, and used nss_ldap for the >> user/group lookups (via /etc/nssswitch.conf or similar). With sssd, you >> can configure it to handle both Kerberos and LDAP pieces. >> >> Are you user names in Kerberos not the same as the user names as exist in >> LDAP? If you're new to Kerberos, I'm guessing you only have the one realm, >> which makes it quite simple--a user name (e.g., jsmith) would simply map to >> your principal name (e.g., jsm...@example.com). >> >> Mixing LDAP and Kerberos really isn't that difficult. The only bit of >> difficulty I've experienced with the two is when you want to use Kerberos >> to authenticate to LDAP itself, and that's where you'd potentially have to >> do some mapping for ACLs (and play with SASL, etc.). It's been a few years >> since I've done that, but when moving from a CentOS 5 box to a CentOS 7 box >> around a year ago, it hadn't seemed to change much. >> >> > >> > Thanks. >> > ________________________________________________ >> > Kerberos mailing list Kerberos@mit.edu >> > https://mailman.mit.edu/mailman/listinfo/kerberos >> > >> >> > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
