I have currently been contacted by a user who wants to setup there computer labs to use a SSO type of authentication. Since all of the computers in the lab are Mac’s I figured why not have them authenticate via our Kerberos server and use our LDAP server to retrieve user information. This seemed to be the most logical approach to me, so off I went and found some good documentation on Google where others have done what is being requested.

• Logging in to Mac OS X using Kerberos and LDAP
• Mac OS X Kerberos Extras
• Configuring Mac OS X LDAP Authorization for Leopard (Mac OS X 10.5.x)

After reading some of the above setup information, it started to become clear to me that I might have a small issue. Setting up Kerberos to handle authentication seems like it would be a trivial task. The issue is that even though our LDAP does have all of the necessary user information in it, some users have the ability to make the information private. Since the private information is only viewable to privileged reader accounts, a anonymous ldap search will not return the necessary information for private users. This causes me a little heartburn, because I don’t want to issue out a privileged reader account, that will then be stored on all of the lab computers. This to me could become a maintenance nightmare.

So for now I am trying to find out if the following things would work. I think my options are this:

1. Use Kerberos Ticket to get only that users info from our openLDAP
2. Just Make the user bind via Active Directory
3. Write a script that gets executed on authentication which can setup user profile info

I am interested if anyone currently has done this before, or has any thoughts on a good approach to accomplish this task?