Hello, I am rather curious as to why nss_ldap is not appropriate for the situation you describe. My experience is with OpenLDAP and nss_ldap +pam_ldap, so I am probably missing something here. With OpenLDAP, if I wanted to keep the contents of the directory private, I would just have the hosts authenticate to a service account, probably using certificates, and have nscd perform the authenticated name resolution. Could you not accomplish something similar with kerberos? What about group support? Is this meant to complement a libnss module? On Thu, 2005-10-13 at 08:55 -0600, Jason Gerfen wrote: > Morning, > I have been working on making some additions to the original > pam_krb5 module for a little while and I can say that it is stable > enough for release. Details on the additions follow; > > pam_krb5+ldap > > requirements: > Linux-PAM libs > Kerberos libs > OpenLDAP libs > > summary: > Anyone that has used the existing pam_krb5 authentication module for > linux clients has at some point had to configure a new service to > provide user enumeration such as NIS, Samba etc., or as well as setting > up a new service had to configure the pam_ldap module or some other > method of keeping user accounts, more specifically the uid, and gid for > the user available to the pam_krb5 module during the TGT verification > process. > > Since we do not authenticate users against LDAP, NIS or Samba but have a > LDAP / AD directory filled with users, uid's, gid's, home directory's > and default shell's I have added a couple of functions to generate the > userdata that populates the AD (unix services schema) / LDAP directory > and hand it off to the TGT verification process. > > Not everyone out there has this type of setup I understand, but for > those that do require Kerberos authentication and don't wish to run a > secondary service such as NIS when they already have a good AD / LDAP > directory filled with user data this is your module. > > I hope this helps some people out and if you find anything wrong with it > let me know. > > http://sourceforge.net/projects/pam-krb5-ldap > -- Aaron Hope <Aaron.Hope@xxxxxxx> UNH NPG Systems Administrator PGP key: http://perennialmind.cjb.net/gpg_key.txt _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
