[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos+LDAP+NIS?

On Wednesday 20 July 2005 02:41 pm, Nils Erik Svangård wrote:
> I cant! I dont have the authority to do that.
> I have setup NIS which authenticate via the Kerberos server. I guess
> it would be easiest to just add a group in NIS but LDAP is the future
> and there is such nice GUIs.
> Where do I prelogin scripting?
> Lets say a user enter a username and a password: First it checks via
> yp if the user is in passwd and then try to authenitcate via the
> kerberos server (via pam_krb5).
> What I want is a
> if(in_ldap(username))
> {
>   if(check_with_yp(username))
>     {
>        if(krb5_authenticate(username,password)
>          {
>              login()
>          }
>      }
>  }
> Where do I do this kind of magic? Somewhere with Pam?
> /nisse
> On 7/20/05, Carlos Rodrigues <carlos.efr@mail.telepac.pt> wrote:
> > Nils Erik Svangård wrote:
> > > Hello!
> > > snip < < <

That is possibly the most absolutely horrifying setup I've ever heard of, and 
you have my deepest, most sincere sympathies at having to deal with not only 
LDAP/Kerberos but also NIS. It's also worth noting that using NIS is probably 
ruining any security you're getting from LDAP/SSL or Kerberos... but with 
that out of the way, I think I can help. I'm not hugely familiar with NIS, so 
don't assume anything here is true.

Before you start, get a root terminal on your machine and leave it open. If 
you make a mistake or my instructions are wrong, you can lose login access to 
the system... (don't ever forget this when working on headless remote 
systems... bad experiences)

Okay, first you need to make the LDAP information available to the Name 
Service Switch (NSS) part of your system, which will let you check the group 
information and such without any particular black magic -- it'll be the same 
as if it was in /etc/groups. For this, you want to install and configure 
libnss-ldap (left to the reader), then modify your /etc/nsswitch.conf file so 
that the 'group:' line looks like this:

   group:          files ldap

If you haven't already configured the NSS for NIS, do that too. Your 
nsswitch.conf file should probably look something like this now:

passwd:         files nis
group:          files ldap
shadow:         files nis
... (rest of the file unchanged)

That will get shell/home information from NIS, group info from LDAP, and 
shadow (passwords) from NIS which you say authenticates via Kerberos (are you 
sure there aren't any passwords getting tossed around in plain text?). Make 
sure this is all working perfectly -- you should be able to 'getent passwd 
<username>' for a user in the NIS system and have it return his data, and you 
should also be able to retrieve group info from LDAP with ldapsearch. You 
shouldn't need any PAM magic if you're using NIS and it's configured 
properly. Then, to restrict login to a certain group, you need some lines 
in /etc/login.access looking something like:


... but I'm not hugely familiar with that file, man login.access for more on 

I've never done anything quite like this (strictly LDAPS/Kerberos here) but I 
think that information should at least get you going in the right direction. 
I'll say again, however, that the setup you're working with is basically a 
trainwreck and is probably leaking passwords and information all over the 
place unless it's very carefully designed. Complain to someone with authority 
and try to get the NIS information moved into LDAP -- it's generally much 
nicer to administrate.

Whew! HTH.

Ryan Schultz
-> floating point exception: divide by cucumber

Reply to: