[Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd
Rich Megginson
rmeggins at redhat.com
Fri Sep 26 20:11:39 UTC 2008
Tim Hartmann wrote:
> Rich,
>
> Configuring the pam plugin went really well, and was really
> straighforward to follow, thanks for putting up the docs online and
> writing the pam plugin. I did have to pull over the
> libpam-passthru-plugin.so file from a copy of Fedora Directory Server
> v1.1, since it doesn't look like Red Hat Directory Server 8.0 ships
> with it, the plugin lists as version 1.1 is that the appropriate
> version of the library?
>
Yes. Just make sure you use the FC-6 binary since that most closely
corresponds to RHEL5.
> -Tim
>
>
>
>
>
> Rich Megginson wrote:
>
>> Tim Hartmann wrote:
>>
>>> Hi Rich thanks for the reply!
>>>
>>> Rich Megginson wrote:
>>>
>>>
>>>>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
>>>>>
>>>>> Which seems like it could work, but seems kind of like a hack for
>>>>> what i'm trying to do and it seemed like I couldn't be the only one
>>>>> who wanted to do it! I suspect there's something I'm just
>>>>> missing!
>>>>>
>>>> That hack was invented for those who wanted to use Kerberos as the
>>>> authoritative source for password information. pampassthru passes the
>>>> password to Kerberos via pam.
>>>>
>>>>
>>>>
>>> Thats *really* what I'd like to do... actually keep Kerberos as my
>>> authoritative source for password data, I was hoping there might have
>>> been a saslauthd plugin that I may have missed to proxy passwords back
>>> to ldap as well, or maybe some other step that I'd missed in my
>>> research.
>>>
>>>
>>>
>>>
>>>> If you're really interested in using Fedora DS as the authoritative
>>>> source for password information, and have Kerberos use Fedora DS to
>>>> store the passwords, you really need freeipa.org
>>>>
>>>>
>>> We took a look at Freeipa.org but it didn't seem to as good a fit for us
>>> especially since we wanted to keep Kerberos as our password store. If I
>>> can get simple binds to work through pam for those applications that
>>> don't support GSS/SASL that would be a huge win!
>>>
>>>
>>> Out of curiosity, was there any reason for proxing though pam rather
>>> then something like saslauthd?
>>>
>> The people who wanted this feature didn't want the overhead of an
>> additional server daemon (saslauthd). They already had a pam stack
>> that did kerberos auth and they just wanted Fedora DS to use that -
>> pam passthru.
>>
>>> Thanks again!
>>>
>>> Tim
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080926/47a4953f/attachment.bin>
More information about the Fedora-directory-users
mailing list