LDAP synchronization in conjunction with Kerberos SSO authentication can be implemented in two different ways:
Using an existing LDAP configuration to authenticate Kerberos users.
Creating a new LDAP configuration to authenticate Kerberos users.
To use an existing LDAP configuration to authenticate Kerberos users:
Modify the user login domain attribute in the user object of all Kerberos users to use the short domain name instead of the name of the LDAP server.
For example, if a Kerberos user is part of the wdkdomain.com domain, change the user login domain attribute to wdkdomain.
Change the user source attribute in the user object to dm_krb for all Kerberos users that are synchronized via LDAP, if the password is not in plug-in format. Changing the user source attribute is optional.
Run the LDAP synchronization job.
To create a new LDAP configuration to authenticate Kerberos users
Create an LDAP configuration object, as described in Adding or modifying LDAP server configurations. Use the short domain name as the LDAP configuration object name.
For example, if Kerberos users are part of the wdkdomain.com domain, create an LDAP configuration object using wdkdomain as the LDAP configuration object name.
Change the user source attribute in the user object to dm_krb for all Kerberos users that are synchronized via LDAP.
Run the LDAP synchronization job.