New PAM module pam_krb5+ldap

Jason Gerfen jason.gerfen at scl.utah.edu
Fri Oct 14 11:48:59 UTC 2005


Well it certainly isn't a solution for everyone, just an alternative.

Aaron Hope wrote:

>Hello,
>I am rather curious as to why nss_ldap is not appropriate for the
>situation you describe.  My experience is with OpenLDAP and nss_ldap
>+pam_ldap, so I am probably missing something here.  With OpenLDAP, if I
>wanted to keep the contents of the directory private, I would just have
>the hosts authenticate to a service account, probably using
>certificates, and have nscd perform the authenticated name resolution.
>Could you not accomplish something similar with kerberos?  What about
>group support?  Is this meant to complement a libnss module?
>
>On Thu, 2005-10-13 at 08:55 -0600, Jason Gerfen wrote:
>  
>
>>Morning,
>>    I have been working on making some additions to the original 
>>pam_krb5 module for a little while and I can say that it is stable 
>>enough for release.  Details on the additions follow;
>>
>>pam_krb5+ldap
>>
>>requirements:
>>Linux-PAM libs
>>Kerberos libs
>>OpenLDAP libs
>>
>>summary:
>>Anyone that has used the existing pam_krb5 authentication module for 
>>linux clients has at some point had to configure a new service to 
>>provide user enumeration such as NIS, Samba etc., or as well as setting 
>>up a new service had to configure the pam_ldap module or some other 
>>method of keeping user accounts, more specifically the uid, and gid for 
>>the user available to the pam_krb5 module during the TGT verification 
>>process.
>>
>>Since we do not authenticate users against LDAP, NIS or Samba but have a 
>>LDAP / AD directory filled with users, uid's, gid's, home directory's 
>>and default shell's I have added a couple of functions to generate the 
>>userdata that populates the AD (unix services schema) / LDAP directory 
>>and hand it off to the TGT verification process.
>>
>>Not everyone out there has this type of setup I understand, but for 
>>those that do require Kerberos authentication and don't wish to run a 
>>secondary service such as NIS when they already have a good AD / LDAP 
>>directory filled with user data this is your module.
>>
>>I hope this helps some people out and if you find anything wrong with it 
>>let me know.
>>
>>http://sourceforge.net/projects/pam-krb5-ldap
>>
>>    
>>


-- 
Jason Gerfen

"My girlfriend threated to
 leave me if I went boarding...
 I will miss her."
 ~ DIATRIBE aka FBITKK




More information about the Pam-list mailing list