[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: KerberosV OpenLDAP and PAM

On Sun, 2003-08-31 at 00:57, Stephen Frost wrote:
> * Matthijs Mohlmann (matthijs@active2.homelinux.org) wrote:
> > I use for authentication KerberosV. For all types of data i use OpenLDAP
> > and for login on into a computer on a network i use PAM.
> [...]
> > Now i want this together. But i don't know how. I've read the
> > documentation from PAM but i don't get it.
> > 
> > What i want is the security of KerberosV and the Flexibility of
> > OpenLDAP.
> If you want the security of Kerberos you shouldn't be using pam_krb5
> ever or having userPassword in OpenLDAP at all.
> > My configuration is now that in OpenLDAP is a attribute userPassword and
> > this attribute points to the KerberosV database.
> This means that the password is sent in cleartext from the client to the
> server, totally against the Kerberos security model which *never* allows
> the password across in cleartext.
> What you need is to get Kerberized clients and servers and to remove
> pam_krb5 from everything.
> 	Stephen

Do you have another idea ? I want to login on my KerberosV server and
then i have to type my password. I have my libpam-krb5 module only in
/etc/pam.d/login and /etc/pam.d/gdm.

Is there something else you can advice me to take ?

I have also another problem with gdm. When i make the change to
-host server.active2.homelinux.org
+uri ldaps://server.active2.homelinux.org/

Then gdm would not run. I've the debug option in gdm.conf on true but
the logs don't say anything about the problem.

Reply to: