[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi, sasl, pam interaction

To: openldap-software@OpenLDAP.org
Subject: Re: gssapi, sasl, pam interaction
From: Andreas <andreas@conectiva.com.br>
Date: Fri, 26 Sep 2003 10:48:28 -0300
Content-disposition: inline
In-reply-to: <20030926133141.GN3749@ns.snowman.net>
References: <20030925231253.GE30758@homer.adiw.net> <000901c383be$ceabdb20$8601a8c0@CELLO> <20030926121945.GG30758@homer.adiw.net> <20030926130417.GC8675@conectiva.com.br> <20030926133141.GN3749@ns.snowman.net>
User-agent: Mutt/1.5.4i

On Fri, Sep 26, 2003 at 09:31:41AM -0400, Stephen Frost wrote:
> > The idea in your case is to use kerberos for authentication (pam_krb5) and
> > ldap for authorization (nss_ldap). You won't be using pam_ldap, since you
> > don't even use the userPassword attribute.
> 
> It's possible you'd want to use pam_ldap for (authorization), perhaps on a 
> per-service basis (allow for POP3 but not for ssh, for example).  Or if
> you want to have all UIDs available but only allow access for certain
> people (NFS server or other reasons).

Correct indeed. There are many authorization mechanisms that can be used with
pam, such as the host attribute, or a forced group membership.

References:
- gssapi, sasl, pam interaction
  - From: Adrian Worthington <adiw@adiw.net>
- RE: gssapi, sasl, pam interaction
  - From: "Howard Chu" <hyc@symas.com>
- Re: gssapi, sasl, pam interaction
  - From: Adrian Worthington <adiw@adiw.net>
- Re: gssapi, sasl, pam interaction
  - From: Andreas <andreas@conectiva.com.br>
- Re: gssapi, sasl, pam interaction
  - From: Stephen Frost <sfrost@snowman.net>

Prev by Date: Re: Modify logger back-end
Next by Date: Re: Modify logger back-end
Index(es):
- Chronological
- Thread