[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi, sasl, pam interaction

paul k [paul@subsignal.org] wrote:
|> Adrian Worthington wrote:
|> >	  what i can't figure out is how to hold directory information
|> >in the ldap server, the password in kerberos and setup pam_ldap to use
|> >the password given to the login process to aquire a ticket from the
|> >kerberos server,
|> AFAIK that is what pam_krb5 does.

but, there have been posts which discourage the use of pam_krb5 due to
way any remote services will send an unencrypted password across the
network, making the usage of kerberos pointless (accepted the way to
solve this is not to use those type of login services, ie telnet
|> >and have ldap/sasl-gssapi use the identity based on the
|> >kerberos authentication to retrieve all the neccessary account and user
|> >information from the ldap server (shell, user, uidnumber etc.). 
|> That would mean, pam_ldap and nss_ldap have to support SASL/GSSAPI to 
|> bind with your kerberos credentials to the directory, I don't think it 
|> is possible/supported (would be nice anyway).

yes this step would be nice, it would make the whole operation seamless.

|> hth

yes thanks, i guess for now the best way is just to setup login via pam
using ldap as the account and session,  and kerberos as the auth, mixing
and matching pam_krb5 and pam_ldap.

|>  Paul



Attachment: pgpIJlfUT1VZ3.pgp
Description: PGP signature