Re: KerberosV OpenLDAP and PAM
On Sat, 2003-08-30 at 23:37, Cajus Pollmeier wrote:
> On Samstag, 30. August 2003 23:06, Matthijs Mohlmann wrote:
> > ey all,
> >
> > I use for authentication KerberosV. For all types of data i use OpenLDAP
> > and for login on into a computer on a network i use PAM.
> >
> > When i use KerberosV then i do so:
> > auth requisite pam_securetty.so
> > auth requisite pam_nologin.so
> > auth required pam_env.so
> > auth sufficient pam_krb5.so
> > auth required pam_unix.so nullok
> > account sufficient pam_krb5.so
> > account required pam_unix.so
> > session sufficient pam_krb5.so
> > session required pam_unix.so
> >
> > When i use Pam then i do so:
> > auth requisite pam_securetty.so
> > auth requisite pam_nologin.so
> > auth required pam_env.so
> > auth sufficient pam_ldap.so
> > auth required pam_unix.so nullok
> > account sufficient pam_ldap.so
> > account required pam_unix.so
> > session sufficient pam_ldap.so
> > session required pam_unix.so
> >
> > Now i want this together. But i don't know how. I've read the
> > documentation from PAM but i don't get it.
> >
> > What i want is the security of KerberosV and the Flexibility of
> > OpenLDAP.
> >
> > My configuration is now that in OpenLDAP is a attribute userPassword and
> > this attribute points to the KerberosV database.
> >
> > And if it can't i make tomorrow my own PAM module :)
>
> I'm using this. You'll have to strip out the openafs session, but basically it
> should work:
>
> auth required pam_nologin.so
> auth sufficient pam_krb5.so forwardable
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_unix.so try_first_pass
> auth required pam_env.so # [1]
>
> account sufficient pam_krb5.so
> account sufficient pam_ldap.so
> account required pam_unix.so
>
> session required pam_mkhomedir.so skel=/etc/skel umask=0077
> session optional pam_krb5.so
> session optional pam_openafs_session.so
> session optional pam_ldap.so
> session required pam_unix.so
> session optional pam_lastlog.so # [1]
> session optional pam_motd.so # [1]
> session optional pam_mail.so standard noenv # [1]
> session required pam_limits.so
>
> password required pam_cracklib.so retry=3 minlen=6 difok=3
> password required pam_unix.so use_authtok nullok md5
>
> Hope it helps,
> Cajus
>
It works. Thank you very much.
Reply to: