[Date Prev][Date Next]
Re: Kerberos and LDAP - Part 1
On Thu, Aug 03, 2000 at 09:17:49AM -0400, Chris Young wrote:
> I've been watching and reading this list for quite a while (you guys have
> certainly shared some really good info!) and I seen a few post associated with
> this, but nothing concrete.
> I'm trying to get a handle on Kerberos & LDAP integration. In particular, I
> would like to be able to store the authentication information
> (username/password) in Kerberos while using LDAP for all of the pertinent
> Here's MY understanding of how this would work with Linux/PAM:
> PAM controls authentication, therefore the proper pam modules and settings must
> be placed in the proper PAM configuration files such that:
> 1. pam_ldap makes certain that the user account exists (auth entry)
> 2. pam_kerberos performs the actual authentication (auth entry)
> 3. pam_kerberos is in charge of password changes (password entry)
Typically, with the nsswitch setup you describe below, you'd leave step 1
to pam_unix to perform during account management. You will also probably
want to continue to have pam_unix with "sufficient" as its control flag,
as you very rarely want a non-local root account. Otherwise, correct as
far as I can see.
> Then, in /etc/nsswitch.conf, 'ldap' needs to be included in the entries so that
> username, groups, hosts, etc. get looked up in ldap.
> Now, what are the potential problems with this scenario? If anyone can help me
> with this, I would greatly appreciate it.
Be careful of how heavily you load your server. Without some caching
mechanism (nscd, if your OS has a version), you'll generate a query for
each and every getpwnam() and getpwuid() call (which means one per line
when you run "ls -l").