[Fedora-directory-users] FDS / PAM Integration Questions

[Jonathan Schreiter]

Hi All,
I am interested in switching from MIT Kerberos5 (GSSAPI/SASL), OpenLDAP to FDS.  Primarily, I'm looking for authentication and authorization for fedora / centos console logins (via PAM).

Currently I have a cron job that keeps a kerberos service principal alive to allow slapd to bind to openldap (as I've also disabled anonymous binds).  I also have startTLS running w/o client authentication (just server certificates and the local client has the CA pub cert).  

I then have nsswitch/pam configured to use these for console (console,ssh,etc) logins.
I'm currently using the pam_sasl_mech GSSAPI and pam_groupdn features of the /etc/ldap.conf (/etc/openldap/ldap.conf) to manage authorization to the local system (by pointint to a posix group dn).

I was able to setup FDS to for console sessions with cleartext and nsswitch.  I'm not sure which route to take in terms of locking down FDS with a pure linux environment.  The straight SSL certificate approach seems to want the user to enter a password before a bind, so I'm not sure that's compatible with PAM.   Is TLS a better option for this?  The last option seems to be to keep Kerberos / GSSAPI, but I've read some posts where you can't easily do this.  I've tried to make the SASL mapping as the docs show, but was unsuccessful.

Can anyone point me in the right direction for the best way to accomplish secure PAM / FDS integraion?  Any help would be greatly appreciated.
Many thanks!
Jonathan