[Date Prev][Date Next] [Chronological] [Thread] [Top]

gssapi, sasl, pam interaction

	i have read as much as i can on the web about this subject
(including the stuff at bayour.com, ofb.net/~jheiss/krbldap/ and
relevant posting on this mailing list) and was wondering if somebody
could help me fill in the missing pieces.

	  i have set up a kerberos realm, and an ldap server. with this
setup i can get a ticket from the tgs, and using this identity
authenticate against the ldap server. the sasl-regexp is setup
correctly and ldapwhoami returns the correct user and information, using
sasl authentication. 

	the final piece of the puzzle i am trying to solve is to login
securely using this setup. there have been posts on this list stating
that pam_krb5 is a bad solution for the pam login service, as for
services such as telnet the password is sent in plain text across the
network, defeating the purpose of using kerberos. therefore the only
secure method is to use pam_ldap, and force an ssl connection between
the client and server. so far so good, another point raised is unless
authentication is only possible against the ldap server and the
passwords are held in kerberos there is no need to use the userPassword
attribute with the {kerberos}XXXXXXX mechanism, which forces the ldap
server to retrieve the password from the kerberos server.

	  what i can't figure out is how to hold directory information
in the ldap server, the password in kerberos and setup pam_ldap to use
the password given to the login process to aquire a ticket from the
kerberos server, and have ldap/sasl-gssapi use the identity based on the
kerberos authentication to retrieve all the neccessary account and user
information from the ldap server (shell, user, uidnumber etc.). if
anybody has setup this configuration could they please outline the
steps taken to setup pam_ldap and the pam.d/login (or system-auth)
files correctly.

thanks in advance


Attachment: pgpW8QrzLopff.pgp
Description: PGP signature