Re: KerberosV OpenLDAP and PAM

Sat, 30 Aug 2003 23:08:32 +0000 

On Sat, 2003-08-30 at 23:37, Cajus Pollmeier wrote:
> On Samstag, 30. August 2003 23:06, Matthijs Mohlmann wrote:
> > ey all,
> >
> > I use for authentication KerberosV. For all types of data i use OpenLDAP
> > and for login on into a computer on a network i use PAM.
> >
> > When i use KerberosV then i do so:
> > auth  requisite  pam_securetty.so
> > auth  requisite  pam_nologin.so
> > auth  required   pam_env.so
> > auth  sufficient pam_krb5.so
> > auth  required   pam_unix.so nullok
> > account  sufficient      pam_krb5.so
> > account  required        pam_unix.so
> > session  sufficient      pam_krb5.so
> > session  required        pam_unix.so
> >
> > When i use Pam then i do so:
> > auth  requisite  pam_securetty.so
> > auth  requisite  pam_nologin.so
> > auth  required   pam_env.so
> > auth  sufficient pam_ldap.so
> > auth  required   pam_unix.so nullok
> > account  sufficient      pam_ldap.so
> > account  required        pam_unix.so
> > session  sufficient      pam_ldap.so
> > session  required        pam_unix.so
> >
> > Now i want this together. But i don't know how. I've read the
> > documentation from PAM but i don't get it.
> >
> > What i want is the security of KerberosV and the Flexibility of
> > OpenLDAP.
> >
> > My configuration is now that in OpenLDAP is a attribute userPassword and
> > this attribute points to the KerberosV database.
> >
> > And if it can't i make tomorrow my own PAM module :)
> 
> I'm using this. You'll have to strip out the openafs session, but basically it
> should work:
> 
> auth       required     pam_nologin.so
> auth       sufficient    pam_krb5.so forwardable
> auth       sufficient   pam_ldap.so use_first_pass
> auth       required     pam_unix.so try_first_pass
> auth       required     pam_env.so # [1]
> 
> account    sufficient   pam_krb5.so
> account    sufficient   pam_ldap.so
> account    required     pam_unix.so
> 
> session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
> session    optional     pam_krb5.so
> session    optional     pam_openafs_session.so
> session    optional     pam_ldap.so
> session    required     pam_unix.so
> session    optional     pam_lastlog.so # [1]
> session    optional     pam_motd.so # [1]
> session    optional     pam_mail.so standard noenv # [1]
> session    required     pam_limits.so
> 
> password required       pam_cracklib.so retry=3 minlen=6 difok=3
> password required       pam_unix.so use_authtok nullok md5
> 
> Hope it helps,
> Cajus
> 

It works. Thank you very much.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to