Re: KerberosV OpenLDAP and PAM
On Samstag, 30. August 2003 23:06, Matthijs Mohlmann wrote:
> ey all,
>
> I use for authentication KerberosV. For all types of data i use OpenLDAP
> and for login on into a computer on a network i use PAM.
>
> When i use KerberosV then i do so:
> auth requisite pam_securetty.so
> auth requisite pam_nologin.so
> auth required pam_env.so
> auth sufficient pam_krb5.so
> auth required pam_unix.so nullok
> account sufficient pam_krb5.so
> account required pam_unix.so
> session sufficient pam_krb5.so
> session required pam_unix.so
>
> When i use Pam then i do so:
> auth requisite pam_securetty.so
> auth requisite pam_nologin.so
> auth required pam_env.so
> auth sufficient pam_ldap.so
> auth required pam_unix.so nullok
> account sufficient pam_ldap.so
> account required pam_unix.so
> session sufficient pam_ldap.so
> session required pam_unix.so
>
> Now i want this together. But i don't know how. I've read the
> documentation from PAM but i don't get it.
>
> What i want is the security of KerberosV and the Flexibility of
> OpenLDAP.
>
> My configuration is now that in OpenLDAP is a attribute userPassword and
> this attribute points to the KerberosV database.
>
> And if it can't i make tomorrow my own PAM module :)
I'm using this. You'll have to strip out the openafs session, but basically it
should work:
auth required pam_nologin.so
auth sufficient pam_krb5.so forwardable
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix.so try_first_pass
auth required pam_env.so # [1]
account sufficient pam_krb5.so
account sufficient pam_ldap.so
account required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_krb5.so
session optional pam_openafs_session.so
session optional pam_ldap.so
session required pam_unix.so
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
Hope it helps,
Cajus
Reply to: