* Matthijs Mohlmann (matthijs@active2.homelinux.org) wrote: > I use for authentication KerberosV. For all types of data i use OpenLDAP > and for login on into a computer on a network i use PAM. [...] > Now i want this together. But i don't know how. I've read the > documentation from PAM but i don't get it. > > What i want is the security of KerberosV and the Flexibility of > OpenLDAP. If you want the security of Kerberos you shouldn't be using pam_krb5 ever or having userPassword in OpenLDAP at all. > My configuration is now that in OpenLDAP is a attribute userPassword and > this attribute points to the KerberosV database. This means that the password is sent in cleartext from the client to the server, totally against the Kerberos security model which *never* allows the password across in cleartext. What you need is to get Kerberized clients and servers and to remove pam_krb5 from everything. Stephen
Attachment:
pgpBzMopObp5t.pgp
Description: PGP signature