New PAM module pam_krb5+ldap

Aaron Hope edh+pam at physics.unh.edu
Thu Oct 13 18:41:33 UTC 2005


Hello,
I am rather curious as to why nss_ldap is not appropriate for the
situation you describe.  My experience is with OpenLDAP and nss_ldap
+pam_ldap, so I am probably missing something here.  With OpenLDAP, if I
wanted to keep the contents of the directory private, I would just have
the hosts authenticate to a service account, probably using
certificates, and have nscd perform the authenticated name resolution.
Could you not accomplish something similar with kerberos?  What about
group support?  Is this meant to complement a libnss module?

On Thu, 2005-10-13 at 08:55 -0600, Jason Gerfen wrote:
> Morning,
>     I have been working on making some additions to the original 
> pam_krb5 module for a little while and I can say that it is stable 
> enough for release.  Details on the additions follow;
> 
> pam_krb5+ldap
> 
> requirements:
> Linux-PAM libs
> Kerberos libs
> OpenLDAP libs
> 
> summary:
> Anyone that has used the existing pam_krb5 authentication module for 
> linux clients has at some point had to configure a new service to 
> provide user enumeration such as NIS, Samba etc., or as well as setting 
> up a new service had to configure the pam_ldap module or some other 
> method of keeping user accounts, more specifically the uid, and gid for 
> the user available to the pam_krb5 module during the TGT verification 
> process.
> 
> Since we do not authenticate users against LDAP, NIS or Samba but have a 
> LDAP / AD directory filled with users, uid's, gid's, home directory's 
> and default shell's I have added a couple of functions to generate the 
> userdata that populates the AD (unix services schema) / LDAP directory 
> and hand it off to the TGT verification process.
> 
> Not everyone out there has this type of setup I understand, but for 
> those that do require Kerberos authentication and don't wish to run a 
> secondary service such as NIS when they already have a good AD / LDAP 
> directory filled with user data this is your module.
> 
> I hope this helps some people out and if you find anything wrong with it 
> let me know.
> 
> http://sourceforge.net/projects/pam-krb5-ldap
> 
-- 
Aaron Hope <Aaron.Hope at unh.edu>
UNH NPG Systems Administrator
PGP key: http://perennialmind.cjb.net/gpg_key.txt





More information about the Pam-list mailing list