[Fedora-directory-users] FDS / PAM Integration Questions
Richard Megginson
rmeggins at redhat.com
Mon Jan 29 23:07:31 UTC 2007
Jonathan Schreiter wrote:
> Hi All,
> I am interested in switching from MIT Kerberos5 (GSSAPI/SASL), OpenLDAP to FDS. Primarily, I'm looking for authentication and authorization for fedora / centos console logins (via PAM).
>
> Currently I have a cron job that keeps a kerberos service principal alive to allow slapd to bind to openldap (as I've also disabled anonymous binds). I also have startTLS running w/o client authentication (just server certificates and the local client has the CA pub cert).
>
> I then have nsswitch/pam configured to use these for console (console,ssh,etc) logins.
> I'm currently using the pam_sasl_mech GSSAPI and pam_groupdn features of the /etc/ldap.conf (/etc/openldap/ldap.conf) to manage authorization to the local system (by pointint to a posix group dn).
>
> I was able to setup FDS to for console sessions with cleartext and nsswitch. I'm not sure which route to take in terms of locking down FDS with a pure linux environment. The straight SSL certificate approach seems to want the user to enter a password before a bind, so I'm not sure that's compatible with PAM. Is TLS a better option for this? The last option seems to be to keep Kerberos / GSSAPI, but I've read some posts where you can't easily do this.
It's not that bad.
> I've tried to make the SASL mapping as the docs show, but was unsuccessful.
>
I think your best option is to just keep Kerberos for authentication,
especially if you are already using it successfully for other apps.
What problems did you have with SASL mapping?
Did you see this - http://directory.fedora.redhat.com/wiki/Howto:Kerberos
> Can anyone point me in the right direction for the best way to accomplish secure PAM / FDS integraion? Any help would be greatly appreciated.
> Many thanks!
> Jonathan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070129/3c25c31a/attachment.bin>
More information about the Fedora-directory-users
mailing list