Re: KerberosV OpenLDAP and PAM

To: Cajus Pollmeier <c.pollmeier@gmx.net>
Cc: debian-security@lists.debian.org
Subject: Re: KerberosV OpenLDAP and PAM
From: Matthijs Mohlmann <matthijs@active2.homelinux.org>
Date: 31 Aug 2003 00:50:43 +0200
Message-id: <[🔎] 1062283843.29230.1.camel@Active2>
In-reply-to: <[🔎] 200308302337.13282.c.pollmeier@gmx.net>
References: <[🔎] 1062277610.28540.10.camel@Active2> <[🔎] 200308302337.13282.c.pollmeier@gmx.net>

On Sat, 2003-08-30 at 23:37, Cajus Pollmeier wrote:
> On Samstag, 30. August 2003 23:06, Matthijs Mohlmann wrote:
> > ey all,
> >
> > I use for authentication KerberosV. For all types of data i use OpenLDAP
> > and for login on into a computer on a network i use PAM.
> >
> > When i use KerberosV then i do so:
> > auth  requisite  pam_securetty.so
> > auth  requisite  pam_nologin.so
> > auth  required   pam_env.so
> > auth  sufficient pam_krb5.so
> > auth  required   pam_unix.so nullok
> > account  sufficient      pam_krb5.so
> > account  required        pam_unix.so
> > session  sufficient      pam_krb5.so
> > session  required        pam_unix.so
> >
> > When i use Pam then i do so:
> > auth  requisite  pam_securetty.so
> > auth  requisite  pam_nologin.so
> > auth  required   pam_env.so
> > auth  sufficient pam_ldap.so
> > auth  required   pam_unix.so nullok
> > account  sufficient      pam_ldap.so
> > account  required        pam_unix.so
> > session  sufficient      pam_ldap.so
> > session  required        pam_unix.so
> >
> > Now i want this together. But i don't know how. I've read the
> > documentation from PAM but i don't get it.
> >
> > What i want is the security of KerberosV and the Flexibility of
> > OpenLDAP.
> >
> > My configuration is now that in OpenLDAP is a attribute userPassword and
> > this attribute points to the KerberosV database.
> >
> > And if it can't i make tomorrow my own PAM module :)
> 
> I'm using this. You'll have to strip out the openafs session, but basically it
> should work:
> 
> auth       required     pam_nologin.so
> auth       sufficient    pam_krb5.so forwardable
> auth       sufficient   pam_ldap.so use_first_pass
> auth       required     pam_unix.so try_first_pass
> auth       required     pam_env.so # [1]
> 
> account    sufficient   pam_krb5.so
> account    sufficient   pam_ldap.so
> account    required     pam_unix.so
> 
> session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
> session    optional     pam_krb5.so
> session    optional     pam_openafs_session.so
> session    optional     pam_ldap.so
> session    required     pam_unix.so
> session    optional     pam_lastlog.so # [1]
> session    optional     pam_motd.so # [1]
> session    optional     pam_mail.so standard noenv # [1]
> session    required     pam_limits.so
> 
> password required       pam_cracklib.so retry=3 minlen=6 difok=3
> password required       pam_unix.so use_authtok nullok md5
> 
> Hope it helps,
> Cajus
> 

It works. Thank you very much.

Reply to:

References:
- KerberosV OpenLDAP and PAM
  - From: Matthijs Mohlmann <matthijs@active2.homelinux.org>
- Re: KerberosV OpenLDAP and PAM
  - From: Cajus Pollmeier <c.pollmeier@gmx.net>

Prev by Date: Re: KerberosV OpenLDAP and PAM
Next by Date: Re: 2.4.21 IPSEC problems
Previous by thread: Re: KerberosV OpenLDAP and PAM
Next by thread: Re: KerberosV OpenLDAP and PAM
Index(es):
- Date
- Thread