[This question is not about getting your LDAP password to authenticate you for SSH logins. We have that working just fine, thank you :-) ]
Let's suppose you're on a Linux network (Ubuntu 11.10, slapd 2.4.23), and you need to write a set of utilities that will use ldapmodify, ldapadd, ldapdelete, and so on. You don't have Kerberos, and don't want to deal with its timeouts (most users don't know how to get around this), quirks, etc. This resolves the question to one of where else to get credentials to feed to LDAP, probably through GSSAPI - which technically doesn't require Kerberos despite its dominance there - or something like it.
However, nearly everyone seems to have an SSH agent program, complete with its key cache. I'd really like an ssh-add to be sufficient to allow passwordless LDAP command use.
Does anyone know of a project working on using the SSH agent as the source of authentication to LDAP? It might be through an ssh-aware GSSAPI layer, or some other trick I haven't thought of. But it would be wonderful for making LDAP effortless. Assuming I haven't just utterly missed a way to use ldapmodify and kin without having to type my LDAP passwords - using -x is NOT acceptable.
At my site, the LDAP server only accepts ldaps connections, and requires authentication for modifying operations. Those are requirements, of course.
OpenLDAP uses SASL for authentication. SASL does not understand ssh-keys.
However, SASL does have hooks to TLS libraries. You should be able to do what you want using SASL EXTERNAL TLS with Client Certificates. You'll probably also have to modify either your ACLs or your Authentication Mapping.
On Kerberos:
- If by timeout you mean clockskew, that's what NTP is for.
- If you mean ticket expiration, then you'd want to use kstart.