pass-thru questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



MJD Shopping Account wrote:
> I'm reading with interest the many recent articles on the PAM passthru plugin.  I'm hoping to implement it here and have a few questions.
>
> Do you have to add the dn: entry (example in the plugin README) by way of editing the dse.ldif, or can it also be added via an 'ldapadd -f <file>.ldif' command?
>   
Either way is ok.  But you still have to restart the server after adding 
the entry.
> How does use of this plugin relate to setting the userPassword attribute to something like '{KERBEROS}user at REALM'?  Is that a completely separate method for using kerberos?
Yes.  It is completely different and doesn't use a special userPassword 
value.
> The default suggested setup is with pamIDMapMethod = RDN, so this should map to 'uid' for my users.  I assume with pamFallback = FALSE that the userPassword attribute never gets used?
>   
Correct.
> I'm hoping to test the basic setup, but will eventually need to support users in different KerberosV realms.  I am imagining in that case that I should use pamIDMapMethod = ENTRY with pamIDAttr set appropriately and filled with the full userprinciple name, ie user at REALM not just user.  Yes?
>   
Yes.
> Last time I used PADL's MigrateTools scripts to parse flat passwd files into ldif files for user entries, it had the ability to add an attribute to a person's entry with these attributes:
>   objectClass: kerberosSecurityObject
>   krbName: user at realm
> This seems like a good candidate for the pamIDAttr value; I didn't use it at the time because I would need to find the right schema file to support this attribute.  Any ideas where to find this?  Once found, I assume it goes in serverroot/slapd-instance/config/schema, what would I call the file however?  I don't know what the numbering on the filenames indicates.
>   
The numbering indicates the order in which it is loaded - 00 is first, 
99 is last.  Most of the schema shipped with the server is in the range 
00-50.  I suggest you use 60krb5.ldif or something like that.
> My setup: I'm testing on a FDS 1.0.4 install runing on RedHat 4; I am part of a network that uses Active Directory for Window authentication, and I can use pam_krb5.so in my PAM setup as long as I'm using only one realm.  I think this passthrough module is a good match for what I need, if it gets me the cross-realm capability by way of the pamIDAttr.  I do NOT think I can use straight SASL mapping to do this, because I do not have sufficient privileges to add the ldap server to the AD domain, so I can't get the ldap/<server>@rREALM principle into place in AD.
>   
SASL mapping should work for SASL BINDs.  The PAM passthru plugin should 
only be used in those cases where you have a client that only supports 
simple (i.e. username/password) BIND.
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20061121/db176775/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux