Re: ldap and Kerberos

You can use netgroups within LDAP to control who can login to what


From: IBM AIX Discussion List [mailto:aix-l@xxxxxxxxxxxxx] On Behalf Of
Sent: Thursday, August 27, 2009 10:02 AM
To: aix-l@xxxxxxxxxxxxx
Subject: Re: ldap and Kerberos

This is a usual question that I have been asked :

In case we create a user in LDAP, how we can restrict the user to access
only few servers.

I believe that is the place Kerberos come to play.

Is there any other solution to restrict users accessing servers that are
using LDAP ?

From: IBM AIX Discussion List [mailto:aix-l@xxxxxxxxxxxxx] On Behalf Of
Mills, John T
Sent: Thursday, August 27, 2009 9:31 AM
To: aix-l@xxxxxxxxxxxxx
Subject: Re: ldap and Kerberos

If run in conjunction with AD, kerberized ldap installs will allow full
use of account administration. Without kerberos, you can pull the
password for authentication only.

John T. Mills


From: IBM AIX Discussion List [mailto:aix-l@xxxxxxxxxxxxx] On Behalf Of
Tansley, David
Sent: Thursday, August 27, 2009 8:51 AM
To: aix-l@xxxxxxxxxxxxx
Subject: ldap and Kerberos


Can someone explain the benefits if any ,of running Kerberos and ldap
together, instead of just using ldap ( TDS) for authentication.



David Tansley

Email: david.tansley@xxxxxxxxxxxx

This email is intended for the designated recipient(s) only, and may be
confidential, non-public, proprietary, protected by the attorney/client
or other privilege. Unauthorized reading, distribution, copying or other
use of this communication is prohibited and may be unlawful. Receipt by
anyone other than the intended recipient(s) should not be deemed a
waiver of any privilege or protection. If you are not the intended
recipient or if you believe that you have received this email in error,
please notify the sender immediately and delete all copies from your
computer system without reading, saving, or using it in any manner.
Although it has been checked for viruses and other malicious software
("malware"), we do not warrant, represent or guarantee in any way that
this communication is free of malware or potentially damaging defects.
All liability for any actual or alleged loss, damage, or injury arising
out of or resulting in any way from the receipt, opening or use of this
email is expressly disclaimed.

Relevant Pages

  • Re: Could you help me to resolve the Kerberos error?
    ... For an example of java client using GSSAPI to authentic to LDAP ... client, KDCs and LDAP servers. ... I want to know what is the requirement of the Kerberos authentication, especially the configuration of AD and DNS. ...
  • Re: Authenticating LDAP connection with current windows users credentials?
    ... setup and theory behind an ldap ... The Kerberos only works with ADS right now but that is sufficient for your situation. ... when the user has logged in interactively and therefore has a valid Kerberos ticket cached in Windows logon credential cache. ... CallbackHandler callbackHandler = new KerbCallback; ...
  • Re: How do you manage 1000+ UNIX systems ?
    ... > about 50 hosts as a small pilot project), our infrastructure today ... > ldap, and to some extention LDAP does meet my most basic ... > managing huge network of servers. ... Remember that even if you go with Kerberos you still need a place to ...
  • Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?
    ... (Specified realm `' not allowed by configuration) ... I recommend steering this thread back onto the kerberos mailing list. ... So what you're saying is that users do not know their userPrincipalName ... You could split the name and do an LDAP search on sAMAccountName=abaker ...
  • Re: Kerberos Confusion / Design Questions
    ... > I'm planning on deploying Sun-Kerberos with LDAP I have a few design ... > server via gssapi-keyex SSO and other servers can log back into my ... > that is puzzling me is how to handle Kerberos access, ... > authentication will basically be provided through LDAP at this point ...