Re: KerberosV OpenLDAP and PAM
On Sun, 2003-08-31 at 00:57, Stephen Frost wrote:
> * Matthijs Mohlmann (matthijs@active2.homelinux.org) wrote:
> > I use for authentication KerberosV. For all types of data i use OpenLDAP
> > and for login on into a computer on a network i use PAM.
> [...]
> > Now i want this together. But i don't know how. I've read the
> > documentation from PAM but i don't get it.
> >
> > What i want is the security of KerberosV and the Flexibility of
> > OpenLDAP.
>
> If you want the security of Kerberos you shouldn't be using pam_krb5
> ever or having userPassword in OpenLDAP at all.
>
> > My configuration is now that in OpenLDAP is a attribute userPassword and
> > this attribute points to the KerberosV database.
>
> This means that the password is sent in cleartext from the client to the
> server, totally against the Kerberos security model which *never* allows
> the password across in cleartext.
>
> What you need is to get Kerberized clients and servers and to remove
> pam_krb5 from everything.
>
> Stephen
Do you have another idea ? I want to login on my KerberosV server and
then i have to type my password. I have my libpam-krb5 module only in
/etc/pam.d/login and /etc/pam.d/gdm.
Is there something else you can advice me to take ?
I have also another problem with gdm. When i make the change to
libnss-ldap.conf:
-host server.active2.homelinux.org
+uri ldaps://server.active2.homelinux.org/
Then gdm would not run. I've the debug option in gdm.conf on true but
the logs don't say anything about the problem.
Reply to: