You can configure MIT Kerberos Key Distribution Center (KDC) to use eDirectory for storing Kerberos principals. Kerberos principals are associated with eDirectory users and each Kerberos principal has Kerberos keys required by the KDC. These keys are derived from the users’ Kerberos passwords and may be different from the users’ eDirectory passwords.
The Kerberos Password Agent (KPA) is a module that you can load inside an eDirectory server. It synchronizes the users’ Kerberos keys with their eDirectory passwords.
For more information about Universal Passwords, refer to the NetIQ Modular Authentication Services Administration Guide.