Re: pass-thru questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

MJD Shop Account wrote:

How does use of this plugin relate to setting the userPassword attribute to something like '{KERBEROS}user@REALM'?  Is that a completely separate method for using kerberos?
Yes. It is completely different and doesn't use a special userPassword value. 

Where would it be appropriate to use the {KERBEROS}user@REALM method?  Any pointers to read up on it?  I think an earlier message thread indicated it was deprecated...  I'm not sure which is the best for my situation.  If it required saslauthd, for instance, that would not work for me.
Fedora DS does not support the {KERBEROS}user@REALM method in the userPassword attribute. That is an OpenLDAP only feature, AFAIK.
SASL mapping should work for SASL BINDs. The PAM passthru plugin should only be used in those cases where you have a client that only supports simple (i.e. username/password) BIND. 

I guess I'm not 100% sure how this will work for, say, someone logging in via a console.  Right now, I have a pam modules stack with pam_ldap.so followed by pam_krb5.so.  How would a login at a console terminal (either text or RH graphical Xwindows login) result in an SASL bind to LDAP?  My /etc/ldap.conf is set for anonymous binds.  Perhaps I should reverse the order and have krb5 before ldap, as I want krb5 to be used ultimately for authentication.  Right now, the user might have an LDAP password and a separate krb5 password, if they log in with the krb5 password they get KerberosV credentials as shown by klist.

To be clear again, I would still need the passthrough to support the cross-realm situation, I think.  So maybe ldap before krb5 is just fine for that reason.

Another more general question.  As I want to use the passthrough module strictly to do the the Kerberos logins, I assume the 'ldapserver' pam file would only need pam_krb5.so and not, for example, pam_unix.so.  Is that right?

I think so, but I'm not sure.  You'll have to ask a PAM guru for that.

Thanks!

Marty

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux