New PAM module pam_krb5+ldap
Aaron Hope
edh+pam at physics.unh.edu
Thu Oct 13 18:41:33 UTC 2005
Hello,
I am rather curious as to why nss_ldap is not appropriate for the
situation you describe. My experience is with OpenLDAP and nss_ldap
+pam_ldap, so I am probably missing something here. With OpenLDAP, if I
wanted to keep the contents of the directory private, I would just have
the hosts authenticate to a service account, probably using
certificates, and have nscd perform the authenticated name resolution.
Could you not accomplish something similar with kerberos? What about
group support? Is this meant to complement a libnss module?
On Thu, 2005-10-13 at 08:55 -0600, Jason Gerfen wrote:
> Morning,
> I have been working on making some additions to the original
> pam_krb5 module for a little while and I can say that it is stable
> enough for release. Details on the additions follow;
>
> pam_krb5+ldap
>
> requirements:
> Linux-PAM libs
> Kerberos libs
> OpenLDAP libs
>
> summary:
> Anyone that has used the existing pam_krb5 authentication module for
> linux clients has at some point had to configure a new service to
> provide user enumeration such as NIS, Samba etc., or as well as setting
> up a new service had to configure the pam_ldap module or some other
> method of keeping user accounts, more specifically the uid, and gid for
> the user available to the pam_krb5 module during the TGT verification
> process.
>
> Since we do not authenticate users against LDAP, NIS or Samba but have a
> LDAP / AD directory filled with users, uid's, gid's, home directory's
> and default shell's I have added a couple of functions to generate the
> userdata that populates the AD (unix services schema) / LDAP directory
> and hand it off to the TGT verification process.
>
> Not everyone out there has this type of setup I understand, but for
> those that do require Kerberos authentication and don't wish to run a
> secondary service such as NIS when they already have a good AD / LDAP
> directory filled with user data this is your module.
>
> I hope this helps some people out and if you find anything wrong with it
> let me know.
>
> http://sourceforge.net/projects/pam-krb5-ldap
>
--
Aaron Hope <Aaron.Hope at unh.edu>
UNH NPG Systems Administrator
PGP key: http://perennialmind.cjb.net/gpg_key.txt
More information about the Pam-list
mailing list