Re: KerberosV OpenLDAP and PAM

To: Matthijs Mohlmann <matthijs@active2.homelinux.org>, debian-security@lists.debian.org
Subject: Re: KerberosV OpenLDAP and PAM
From: Cajus Pollmeier <c.pollmeier@gmx.net>
Date: Sat, 30 Aug 2003 23:37:09 +0200
Message-id: <[🔎] 200308302337.13282.c.pollmeier@gmx.net>
In-reply-to: <[🔎] 1062277610.28540.10.camel@Active2>
References: <[🔎] 1062277610.28540.10.camel@Active2>

On Samstag, 30. August 2003 23:06, Matthijs Mohlmann wrote:
> ey all,
>
> I use for authentication KerberosV. For all types of data i use OpenLDAP
> and for login on into a computer on a network i use PAM.
>
> When i use KerberosV then i do so:
> auth  requisite  pam_securetty.so
> auth  requisite  pam_nologin.so
> auth  required   pam_env.so
> auth  sufficient pam_krb5.so
> auth  required   pam_unix.so nullok
> account  sufficient      pam_krb5.so
> account  required        pam_unix.so
> session  sufficient      pam_krb5.so
> session  required        pam_unix.so
>
> When i use Pam then i do so:
> auth  requisite  pam_securetty.so
> auth  requisite  pam_nologin.so
> auth  required   pam_env.so
> auth  sufficient pam_ldap.so
> auth  required   pam_unix.so nullok
> account  sufficient      pam_ldap.so
> account  required        pam_unix.so
> session  sufficient      pam_ldap.so
> session  required        pam_unix.so
>
> Now i want this together. But i don't know how. I've read the
> documentation from PAM but i don't get it.
>
> What i want is the security of KerberosV and the Flexibility of
> OpenLDAP.
>
> My configuration is now that in OpenLDAP is a attribute userPassword and
> this attribute points to the KerberosV database.
>
> And if it can't i make tomorrow my own PAM module :)

I'm using this. You'll have to strip out the openafs session, but basically it
should work:

auth       required     pam_nologin.so
auth       sufficient    pam_krb5.so forwardable
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_unix.so try_first_pass
auth       required     pam_env.so # [1]

account    sufficient   pam_krb5.so
account    sufficient   pam_ldap.so
account    required     pam_unix.so

session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
session    optional     pam_krb5.so
session    optional     pam_openafs_session.so
session    optional     pam_ldap.so
session    required     pam_unix.so
session    optional     pam_lastlog.so # [1]
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

password required       pam_cracklib.so retry=3 minlen=6 difok=3
password required       pam_unix.so use_authtok nullok md5

Hope it helps,
Cajus

Reply to:

Follow-Ups:
- Re: KerberosV OpenLDAP and PAM
  - From: Matthijs Mohlmann <matthijs@active2.homelinux.org>

References:
- KerberosV OpenLDAP and PAM
  - From: Matthijs Mohlmann <matthijs@active2.homelinux.org>

Prev by Date: KerberosV OpenLDAP and PAM
Next by Date: Re: KerberosV OpenLDAP and PAM
Previous by thread: KerberosV OpenLDAP and PAM
Next by thread: Re: KerberosV OpenLDAP and PAM
Index(es):
- Date
- Thread