paul k [paul@subsignal.org] wrote: |> Adrian Worthington wrote: |> > what i can't figure out is how to hold directory information |> >in the ldap server, the password in kerberos and setup pam_ldap to use |> >the password given to the login process to aquire a ticket from the |> >kerberos server, |> AFAIK that is what pam_krb5 does. but, there have been posts which discourage the use of pam_krb5 due to way any remote services will send an unencrypted password across the network, making the usage of kerberos pointless (accepted the way to solve this is not to use those type of login services, ie telnet etc.). |> |> >and have ldap/sasl-gssapi use the identity based on the |> >kerberos authentication to retrieve all the neccessary account and user |> >information from the ldap server (shell, user, uidnumber etc.). |> That would mean, pam_ldap and nss_ldap have to support SASL/GSSAPI to |> bind with your kerberos credentials to the directory, I don't think it |> is possible/supported (would be nice anyway). yes this step would be nice, it would make the whole operation seamless. |> |> hth yes thanks, i guess for now the best way is just to setup login via pam using ldap as the account and session, and kerberos as the auth, mixing and matching pam_krb5 and pam_ldap. |> Paul |> thanks -- adi
Attachment:
pgpIJlfUT1VZ3.pgp
Description: PGP signature