[Fedora-directory-users] pass-thru questions

Richard Megginson rmeggins at redhat.com
Tue Nov 21 21:49:43 UTC 2006 

MJD Shop Account wrote:
>>> How does use of this plugin relate to setting the userPassword attribute to something like '{KERBEROS}user at REALM'?  Is that a completely separate method for using kerberos?
>>>       
>> Yes.  It is completely different and doesn't use a special userPassword 
>> value.
>>     
>
> Where would it be appropriate to use the {KERBEROS}user at REALM method?  Any pointers to read up on it?  I think an earlier message thread indicated it was deprecated...  I'm not sure which is the best for my situation.  If it required saslauthd, for instance, that would not work for me.
>   
Fedora DS does not support the {KERBEROS}user at REALM method in the 
userPassword attribute.  That is an OpenLDAP only feature, AFAIK.
>   
>> SASL mapping should work for SASL BINDs.  The PAM passthru plugin should 
>> only be used in those cases where you have a client that only supports 
>> simple (i.e. username/password) BIND.
>>     
>
> I guess I'm not 100% sure how this will work for, say, someone logging in via a console.  Right now, I have a pam modules stack with pam_ldap.so followed by pam_krb5.so.  How would a login at a console terminal (either text or RH graphical Xwindows login) result in an SASL bind to LDAP?  My /etc/ldap.conf is set for anonymous binds.  Perhaps I should reverse the order and have krb5 before ldap, as I want krb5 to be used ultimately for authentication.  Right now, the user might have an LDAP password and a separate krb5 password, if they log in with the krb5 password they get KerberosV credentials as shown by klist.
>
> To be clear again, I would still need the passthrough to support the cross-realm situation, I think.  So maybe ldap before krb5 is just fine for that reason.
>
> Another more general question.  As I want to use the passthrough module strictly to do the the Kerberos logins, I assume the 'ldapserver' pam file would only need pam_krb5.so and not, for example, pam_unix.so.  Is that right?
>   
I think so, but I'm not sure.  You'll have to ask a PAM guru for that.
> Thanks!
>
> Marty
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20061121/30b27ee6/attachment.bin>

More information about the Fedora-directory-users mailing list