pass-thru questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

MJD Shop Account wrote:
>>> How does use of this plugin relate to setting the userPassword attribute to something like '{KERBEROS}user at REALM'?  Is that a completely separate method for using kerberos?
>>>       
>> Yes.  It is completely different and doesn't use a special userPassword 
>> value.
>>     
>
> Where would it be appropriate to use the {KERBEROS}user at REALM method?  Any pointers to read up on it?  I think an earlier message thread indicated it was deprecated...  I'm not sure which is the best for my situation.  If it required saslauthd, for instance, that would not work for me.
>   
Fedora DS does not support the {KERBEROS}user at REALM method in the 
userPassword attribute.  That is an OpenLDAP only feature, AFAIK.
>   
>> SASL mapping should work for SASL BINDs.  The PAM passthru plugin should 
>> only be used in those cases where you have a client that only supports 
>> simple (i.e. username/password) BIND.
>>     
>
> I guess I'm not 100% sure how this will work for, say, someone logging in via a console.  Right now, I have a pam modules stack with pam_ldap.so followed by pam_krb5.so.  How would a login at a console terminal (either text or RH graphical Xwindows login) result in an SASL bind to LDAP?  My /etc/ldap.conf is set for anonymous binds.  Perhaps I should reverse the order and have krb5 before ldap, as I want krb5 to be used ultimately for authentication.  Right now, the user might have an LDAP password and a separate krb5 password, if they log in with the krb5 password they get KerberosV credentials as shown by klist.
>
> To be clear again, I would still need the passthrough to support the cross-realm situation, I think.  So maybe ldap before krb5 is just fine for that reason.
>
> Another more general question.  As I want to use the passthrough module strictly to do the the Kerberos logins, I assume the 'ldapserver' pam file would only need pam_krb5.so and not, for example, pam_unix.so.  Is that right?
>   
I think so, but I'm not sure.  You'll have to ask a PAM guru for that.
> Thanks!
>
> Marty
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20061121/30b27ee6/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux