Re: [rhn-users] openldap + pam_ldap + krb5 auth

[Nguyen Duc Du Khuong <nddkhuong gmail com>]

On Tue, 14 Dec 2004 10:16:46 -0500, FM <dist-list lexum umontreal ca> wrote:
> I installed openldap 2.2.x with krb5 (SASL).
> 
> Now I am trying to set my station to authenticate my station
> 
> my system-auth look like this :
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_krb5.so use_first_pass debug
> auth        required      pam_deny.so
> account     sufficient    pam_unix.so
> account     required      pam_deny.so
> account     [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore]   /lib/security/pam_krb5.so debug
> account     sufficient    pam_ldap.so use_first_pass
> 
> password    required      pam_cracklib.so retry=3 minlen=2  dcredit=0
> ucredit=0 ucredit=0
> password    sufficient    pam_unix.so nullok use_authtok md5 shadow
> password    sufficient    /lib/security/pam_krb5.so debug
> password    required      pam_deny.so
> session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session     required      pam_limits.so
> session     required      pam_unix.so
> session     optional      /lib/security/pam_krb5.so
> 
> I can connect but in the slapd log, it connect to ldap using BIND dn=""
> and then it auth using sasl
> 
> If i try whoami for example the BIND dn is also = ""
> 
> So,
> If I put
> use_sasl on
> pam_sasl_mech GSSAPI
> 
> in /etc/ldap.conf
> 
> now slapd log BIND dn  authcid="user realm"
> 
> so it seems ok, but now i cannpot use kdm to connect from my station
> removing the new conf from ldap.conf solved my prob but I'm back with
> the bin dn= ""
> 
> Do you have a system-auth + ldap.conf sample for krb5 + openldap ?
> 
> thanks !
> 
> _______________________________________________
> rhn-users mailing list
> rhn-users redhat com
> https://www.redhat.com/mailman/listinfo/rhn-users
>