OpenLDAP and Kerberos questions

To: debian-user@lists.debian.org
Subject: OpenLDAP and Kerberos questions
From: "Matthew P. McGuire" <gray@shadowglade.net>
Date: Thu, 20 Feb 2003 08:27:28 -0500
Message-id: <[🔎] 20030220132728.GA7241@shadowglade.net>

Hi all,

I recently decided it would be a good thing to centralize all of the 
user information and authentication on my network. After some reading I 
found that Kerberos will provide me th necessary secure authentication 
scheme, and OpenLDAP should provide me the user information DB. Both 
appear to have available PAM modules, but I lack the foresight on how to 
proceed. Here is my theory and how I want to set it up:

Users are allowed to login using ssh or local login via virtual 
terminal or WDM. I am using the default WDM and Xauth setup currently 
in Debian. Correct me if I am wrong, but the current version of X uses 
Xauth by default. So far this has proven secure. Telnet and rlogin are 
explicitly disallowed.

To accomplish this I would like login to use Kerberos for authentication 
first with unix login as a fall back. The auth lines in /etc/pam.d/login 
could be like the following:

	auth            required        pam_nologin.so
	auth            sufficient      pam_krb5.so
	auth            required        pam_unix.so

Theoretically this will allow Kerberos to authenticate the user and if 
failed pass authentication to local unix authentication. Since Kerberos 
only provides authentication, I have to use another method to set up the 
account information for the user. This is where I would like to use 
OpenLDAP so I can centrally manage user account information. So I think 
the following account lines would be needed for setting up user account 
info using LDAP:

	account         sufficient      pam_ldap.so
	account         required        pam_unix.so

Again this should use LDAP first and fall back to local unix if needed. 
Ideally this would be all I need to do. However since we used Kerberos 
above, I think I would have to use the following as well for the 
password and session sections;

	password        sufficient      pam_kerb5.so
	password        required        pam_unix.so
	session         required        pam_kerb5.so
	session         required        pam_unix.so

Should use Kerberos password to allow password changes by the user and 
the session one maintains the session key until logout. (I read 
something on this but cannot find it now. So I could be very wrong.) 
They both have the usual fall back to pam_unix.so.

So all of that is essentially theory and I was wondering if anyone has 
any suggestions. Especially the existing OpenLDAP and Kerberos 
maintainers. Steve Langasek, you seem to have written a pam module 
before, any suggestions?

For the curious, I have read up on this. I am simply not very confident 
of my understanding. Any help would be great. Please reply to me 
directly or CC me. I am not subscribed to the list. (Wasn't there a 
thing on how to handle this in mutt recently....)

Thanks,

Matthew P. McGuire
 
-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Matthew P. McGuire <gray@shadowglade.net> 1024D/E21C0E88
CB82 7859 26B2 95E3 1328  5198 D57A D072 E21C 0E88
          When choice matters, choose Debian.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reply to:

Prev by Date: Re[2]: Install on RAID Controller
Next by Date: Re: Install on RAID Controller
Previous by thread: Re: making aptitude forget changes
Next by thread: Kmail(kde 3.1) dependency problems
Index(es):
- Date
- Thread