David Boreham wrote: > >> >>Hmm... What I'm trying to accomplish here is a configuration where users >>authenticate to the ldap server with username/password (no kerberos >>ticket) and their password is checked from kerberos. Is this possible >>to do with the standard plugins? I've had a hard time trying to figure >>out how to do this... =) The idea in this is that we'd like to have >>a single service for authenticating users, even for services that do not >>support kerberos. >> >> > This isn't supported in the current code. If you just want to do LDAP SIMPLE BINDs with username/password (hopefully over a TLS connection), and use the Kerberos password instead of the userPassword attribute, you can use the PAM passthru bind plugin. You will have to grab the Fedora DS source and build it. What this does is pass the BIND authentication request to PAM, which you can configure to go to Kerberos for authentication. >>If it's not possible, I'll look into writing a plugin that does this. >> >> > Sounds good. First you'd need to figure out how to perform a proxied > authentiation > against kerberos. With the existing SASL/GSSAPI mechanism we don't > need to do > that because we're simply passing through the authentication payload > between GSSAPI > and the client. Presumably you'd need to do whatever 'kinit' does, but > inside the DS. > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20050830/47f5f75b/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20050830/47f5f75b/attachment.bin
