[Date Prev][Date Next]
MIT Kerby 5/LDAP integration: Initial success?
Many thanks to all on this list who've helped me get to
where I think I am now.
I'm kind of excited and writing to report what seems to
be at least an initial success (still have to get AFS
data worked into this picture), and to ask some more
questions about how it works and where some things are
stored (number of failed login attempts).
Here's what I've done:
1) Made a standard looking DIT
2) Made a bunch of nodes under this container of type
objectClass: inetOrgPerson; krb5Principal;
krb5KDCEntry; posixAccount (all of them);
3) Made a sasl-regexp of:
4) Made a single ACL rule that let self write cn, sn,
telephoneNumber, seeAlso, description, title,
facsimileTelephoneNumber, street, postOfficeBox,
postalCode, postalAddress, physicalDeliveryOfficeName,
carLicense, departmentNumber, displayName, givenName,
homePhone, homePostalAddress, initials, jpegPhoto,
labeledURI, mail, mobile, o, pager, photo, roomNumber,
secretary, preferredLanguage, loginShell, gecos
4) and another that let * read *
5) I added some nonsense users to my KDC database, and
populated the People nodes with some of these nonsense
users with standard values for things like uid,
uidNumber, gidNumber, etc.
6) on the client machine, configured pam for login,
xdm, et. al. to use the pam_unix2 library, and then
configured pam_unix2.conf as follows:
auth: use_ldap call_modules=krb5afs nullok
account: use_ldap call_modules=krb5afs
password: use_ldap call_modules=krb5afs blowfish
(previously just used "call_modules=krb5afs")
7) Tried to login to the client as one of these
nonsense users (never configured on client machine
before, so no /etc/passwd entry, no home dir, nothing)
8) Success! (warning about non-existent home directory
as listed in the Directory entry for that user).
But I'm curious about one thing (maybe more). At
first, just to make sure I understood what was
happening, I had a user entry in the Directory (john),
but no corresponding principal in the KDC database.
Naturally, this user could not login to the client
machine. However, login prompted twice for his
password (once to check with the KDC? A second time
to check with a local /etc/shadow file?). I tried him
again with same results.
Then, I added his principal to the KDC and tried him
again and success (yeah!). But the login script
reported the two failed attempts... where is that
data stored? Not in the Directory, right? Or if it
is, in what field? Is that information stored locally
on the client? Even though that user has no existence
as far as the client machine is concerned?
Even though I apparently have the integration working
to some degree, I'm sure there's still quite alot
going on that I'm unaware of and/or don't understand,
and that's probably a recipe for disaster, so I'm
trying to understand everything about it.
Could someone point out some of the holes in my
Thanks everyone for all the help!