Re: FDS / PAM Integration Questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jonathan Schreiter wrote:

Hi All,
I am interested in switching from MIT Kerberos5 (GSSAPI/SASL), OpenLDAP to FDS.  Primarily, I'm looking for authentication and authorization for fedora / centos console logins (via PAM).
Currently I have a cron job that keeps a kerberos service principal alive to allow slapd to bind to openldap (as I've also disabled anonymous binds). I also have startTLS running w/o client authentication (just server certificates and the local client has the CA pub cert). 
I then have nsswitch/pam configured to use these for console (console,ssh,etc) logins.
I'm currently using the pam_sasl_mech GSSAPI and pam_groupdn features of the /etc/ldap.conf (/etc/openldap/ldap.conf) to manage authorization to the local system (by pointint to a posix group dn).

I was able to setup FDS to for console sessions with cleartext and nsswitch.  I'm not sure which route to take in terms of locking down FDS with a pure linux environment.  The straight SSL certificate approach seems to want the user to enter a password before a bind, so I'm not sure that's compatible with PAM.   Is TLS a better option for this?  The last option seems to be to keep Kerberos / GSSAPI, but I've read some posts where you can't easily do this.

It's not that bad.

I've tried to make the SASL mapping as the docs show, but was unsuccessful.
I think your best option is to just keep Kerberos for authentication, especially if you are already using it successfully for other apps. What problems did you have with SASL mapping? 

Did you see this - http://directory.fedora.redhat.com/wiki/Howto:Kerberos

Can anyone point me in the right direction for the best way to accomplish secure PAM / FDS integraion?  Any help would be greatly appreciated.
Many thanks!
Jonathan

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux