[Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd

Fri Sep 26 20:11:39 UTC 2008

Tim Hartmann wrote:
> Rich,
>
> Configuring the pam plugin went really well, and was really
> straighforward to follow, thanks for putting up the docs online and
> writing the pam plugin. I  did have to pull over the 
> libpam-passthru-plugin.so file from a copy of Fedora Directory Server
> v1.1, since it doesn't look like Red Hat Directory Server 8.0  ships
> with it,  the plugin lists as version 1.1 is that the appropriate
> version of the library?
>   
Yes.  Just make sure you use the FC-6 binary since that most closely 
corresponds to RHEL5.
> -Tim
>
>
>
>
>
> Rich Megginson wrote:
>   
>> Tim Hartmann wrote:
>>     
>>> Hi Rich thanks for the reply!
>>>
>>> Rich Megginson wrote:
>>>  
>>>       
>>>>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
>>>>>
>>>>> Which seems like it could work, but seems kind of like a hack for
>>>>> what i'm trying to do and it seemed like I couldn't be the only one
>>>>> who wanted to do it! I suspect there's something I'm just
>>>>> missing!         
>>>>>           
>>>> That hack was invented for those who wanted to use Kerberos as the
>>>> authoritative source for password information.  pampassthru passes the
>>>> password to Kerberos via pam.
>>>>
>>>>     
>>>>         
>>> Thats *really* what I'd like to do... actually keep Kerberos as my
>>> authoritative source for password data, I was hoping there might have
>>> been a saslauthd plugin that I may have missed to proxy passwords back
>>> to ldap as well, or maybe some other step that I'd missed in my
>>> research.
>>>
>>>
>>>  
>>>       
>>>> If you're really interested in using Fedora DS as the authoritative
>>>> source for password information, and have Kerberos use Fedora DS to
>>>> store the passwords, you really need freeipa.org
>>>>     
>>>>         
>>> We took a look at Freeipa.org but it didn't seem to as good a fit for us
>>> especially since we wanted to keep Kerberos as our password store.  If I
>>> can get simple binds to work through pam for those applications that
>>> don't support GSS/SASL that would be a huge win!
>>>
>>>
>>> Out of curiosity, was there any reason for proxing though pam rather
>>> then something like saslauthd?   
>>>       
>> The people who wanted this feature didn't want the overhead of an
>> additional server daemon (saslauthd).  They already had a pam stack
>> that did kerberos auth and they just wanted Fedora DS to use that -
>> pam passthru.
>>     
>>> Thanks again!
>>>
>>> Tim
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>       
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080926/47a4953f/attachment.bin>