I have a system that currently uses an LDAP/AD server for authentication via pam and the pam_ldap module. In order to use this server for authentication pam_ldap requires an account which exposes the data on LDAP to me. The account data is normally filled in via the binddn and bindpw fields of the configuration. As I understand the pam module logs in with binddn and bindpw, then performs a search for the user and afterwards binds for each user who is able to login.
The administrators of the LDAP/AD server want me to use a kerberos keytab loaded onto my system instead of providing a binddn and bindpw. And so my question is:
How can I configure pam for this situation?
I am able to get ldapsearch commands to work with kerberos credentials but the pam_ldap documentation states that only simple authentication is supported for the initial bind. Meaning the server would need to provide the binddn and bindpw (that they want to stop using) or allow anonymous binds, which they definitely do not want to allow.
I found this page that contains a section titled "Configure Kerberos Authentication for LDAP Bind" which sounds like exactly what I want to do but I haven't been able to figure out how to apply it to my situation. Any help, direction or commiserating would be much appreciated.
This is the closest thing I could find to my problem already on here: link.
