Re: Kerberos and LDAP - Part 1

[Nalin Dahyabhai <nalin@redhat.com>]

On Thu, Aug 03, 2000 at 09:17:49AM -0400, Chris Young wrote:
> I've been watching and reading this list for quite a while (you guys have
> certainly shared some really good info!) and I seen a few post associated with
> this, but nothing concrete.
> 
> I'm trying to get a handle on Kerberos & LDAP integration.  In particular, I
> would like to be able to store the authentication information
> (username/password) in Kerberos while using LDAP for all of the pertinent
> information.
> 
> Here's MY understanding of how this would work with Linux/PAM:
> 
> PAM controls authentication, therefore the proper pam modules and settings must
> be placed in the proper PAM configuration files such that:
> 1. pam_ldap makes certain that the user account exists (auth entry)
> 2. pam_kerberos performs the actual authentication (auth entry)
> 3. pam_kerberos is in charge of password changes (password entry)

Typically, with the nsswitch setup you describe below, you'd leave step 1
to pam_unix to perform during account management.  You will also probably
want to continue to have pam_unix with "sufficient" as its control flag,
as you very rarely want a non-local root account.  Otherwise, correct as
far as I can see.

> Then, in /etc/nsswitch.conf, 'ldap' needs to be included in the entries so that
> username, groups, hosts, etc. get looked up in ldap.

Also correct.

> Now, what are the potential problems with this scenario?  If anyone can help me
> with this, I would greatly appreciate it.

Be careful of how heavily you load your server.  Without some caching
mechanism (nscd, if your OS has a version), you'll generate a query for
each and every getpwnam() and getpwuid() call (which means one per line
when you run "ls -l").

Nalin