[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: KerberosV OpenLDAP and PAM

* Matthijs Mohlmann (matthijs@active2.homelinux.org) wrote:
> I use for authentication KerberosV. For all types of data i use OpenLDAP
> and for login on into a computer on a network i use PAM.
> Now i want this together. But i don't know how. I've read the
> documentation from PAM but i don't get it.
> What i want is the security of KerberosV and the Flexibility of
> OpenLDAP.

If you want the security of Kerberos you shouldn't be using pam_krb5
ever or having userPassword in OpenLDAP at all.

> My configuration is now that in OpenLDAP is a attribute userPassword and
> this attribute points to the KerberosV database.

This means that the password is sent in cleartext from the client to the
server, totally against the Kerberos security model which *never* allows
the password across in cleartext.

What you need is to get Kerberized clients and servers and to remove
pam_krb5 from everything.


Attachment: pgpi4MMxezn_M.pgp
Description: PGP signature

Reply to: