[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi, sasl, pam interaction

On Fri, Sep 26, 2003 at 09:31:41AM -0400, Stephen Frost wrote:
> > The idea in your case is to use kerberos for authentication (pam_krb5) and
> > ldap for authorization (nss_ldap). You won't be using pam_ldap, since you
> > don't even use the userPassword attribute.
> It's possible you'd want to use pam_ldap for (authorization), perhaps on a 
> per-service basis (allow for POP3 but not for ssh, for example).  Or if
> you want to have all UIDs available but only allow access for certain
> people (NFS server or other reasons).

Correct indeed. There are many authorization mechanisms that can be used with
pam, such as the host attribute, or a forced group membership.