On Samstag, 30. August 2003 23:06, Matthijs Mohlmann wrote: > ey all, > > I use for authentication KerberosV. For all types of data i use OpenLDAP > and for login on into a computer on a network i use PAM. > > When i use KerberosV then i do so: > auth requisite pam_securetty.so > auth requisite pam_nologin.so > auth required pam_env.so > auth sufficient pam_krb5.so > auth required pam_unix.so nullok > account sufficient pam_krb5.so > account required pam_unix.so > session sufficient pam_krb5.so > session required pam_unix.so > > When i use Pam then i do so: > auth requisite pam_securetty.so > auth requisite pam_nologin.so > auth required pam_env.so > auth sufficient pam_ldap.so > auth required pam_unix.so nullok > account sufficient pam_ldap.so > account required pam_unix.so > session sufficient pam_ldap.so > session required pam_unix.so > > Now i want this together. But i don't know how. I've read the > documentation from PAM but i don't get it. > > What i want is the security of KerberosV and the Flexibility of > OpenLDAP. > > My configuration is now that in OpenLDAP is a attribute userPassword and > this attribute points to the KerberosV database. > > And if it can't i make tomorrow my own PAM module :)
I'm using this. You'll have to strip out the openafs session, but basically it should work: auth required pam_nologin.so auth sufficient pam_krb5.so forwardable auth sufficient pam_ldap.so use_first_pass auth required pam_unix.so try_first_pass auth required pam_env.so # [1] account sufficient pam_krb5.so account sufficient pam_ldap.so account required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 session optional pam_krb5.so session optional pam_openafs_session.so session optional pam_ldap.so session required pam_unix.so session optional pam_lastlog.so # [1] session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok nullok md5 Hope it helps, Cajus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
