[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP+Kerberos

On Sat, Nov 18, 2000 at 05:27:40PM +1100, Brian May wrote:
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
>     Nicolas> Also, you won't care to use PAM_LDAP, I don't
>     Nicolas> think. You'll want PAM_KRB5 instead...
> I am currently trying that, but I can't seem to log in for some reason
> unless the LDAP password matches the Kerberos password.
> Oh, I see. I have to change the "account" PAM settings as well as the
> "auth" setting.
> Currently I have
> auth    required pam_krb5.so
> account required pam_ldap.so
> Does this look right? Do I need to change "session" too?

Well, I don't know if you have to authenticate to the LDAP server in
order to even perform the lookups that pam_ldap will require to
implement its authorization checks. If it does, then you have to keep:

account required pam_ldap.so

You may want to use the use_first_password option. Password
synchronization will be an issue though. Perhaps you could use SASL to
authenticate to the LDAP server, using a GSS-API SASL plug-in and using
the Kerberos GSS-API mechanism (what a mouthful) to authenticate to the
LDAP server using Kerberos. But then pam_krb5 and pam_ldap would have to
cooperate with each other.

> Also, (now this is off-topic!), can anyone tell me what the easiest
> way is to delete every-bodies LDAP password. Currently I am doing it
> one entry at a time with ldapmodify + file, and I
> was... well... hoping that a faster way would be possible...


> I am also guessing that Heimdal's login program must have direct
> built-in support for LDAP authentication, otherwise something very
> strange is going on here.
> -- 
> Brian May <bam@snoopy.apana.org.au>