* Matthijs Mohlmann ([EMAIL PROTECTED]) wrote: > I use for authentication KerberosV. For all types of data i use OpenLDAP > and for login on into a computer on a network i use PAM. [...] > Now i want this together. But i don't know how. I've read the > documentation from PAM but i don't get it. > > What i want is the security of KerberosV and the Flexibility of > OpenLDAP.
If you want the security of Kerberos you shouldn't be using pam_krb5
ever or having userPassword in OpenLDAP at all.
> My configuration is now that in OpenLDAP is a attribute userPassword and
> this attribute points to the KerberosV database.
This means that the password is sent in cleartext from the client to the
server, totally against the Kerberos security model which *never* allows
the password across in cleartext.
What you need is to get Kerberized clients and servers and to remove
pam_krb5 from everything.
Stephen
pgp00000.pgp
Description: PGP signature
