Re: LDAP+Kerberos

[Brian May <bam@snoopy.apana.org.au>]

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@ubsw.com> writes:

    Nicolas> Well, I don't know if you have to authenticate to the
    Nicolas> LDAP server in order to even perform the lookups that
    Nicolas> pam_ldap will require to implement its authorization
    Nicolas> checks. If it does, then you have to keep:

    Nicolas> account required pam_ldap.so

hmmm... I was under the impression that this "account" information has
nothing to do with authentication, but the rest of the users details
that you would normally find under /etc/passwd (uid, real name, shell,
home directory, etc).

Anyway, my system is working find with Kerberos for authentication and
LDAP for this other information. The only serious problem I have is
with xscreensaver.

    Nicolas> You may want to use the use_first_password
    Nicolas> option. Password synchronization will be an issue

What module takes the use_first_password option? What does it do?

    Nicolas> though. Perhaps you could use SASL to authenticate to the
    Nicolas> LDAP server, using a GSS-API SASL plug-in and using the
    Nicolas> Kerberos GSS-API mechanism (what a mouthful) to
    Nicolas> authenticate to the LDAP server using Kerberos. But then
    Nicolas> pam_krb5 and pam_ldap would have to cooperate with each
    Nicolas> other.

Thats something I have to think about for later. (my openldap server,
from Debian's potato, is currently too old for SASL support).
-- 
Brian May <bam@snoopy.apana.org.au>