[rhn-users] openldap + pam_ldap + krb5 auth
Nguyen Duc Du Khuong
nddkhuong at gmail.com
Tue Dec 14 15:18:41 UTC 2004
On Tue, 14 Dec 2004 10:16:46 -0500, FM <dist-list at lexum.umontreal.ca> wrote:
> I installed openldap 2.2.x with krb5 (SASL).
>
> Now I am trying to set my station to authenticate my station
>
> my system-auth look like this :
> auth required pam_env.so
> auth sufficient pam_unix.so likeauth nullok
> auth sufficient /lib/security/pam_krb5.so use_first_pass debug
> auth required pam_deny.so
> account sufficient pam_unix.so
> account required pam_deny.so
> account [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/pam_krb5.so debug
> account sufficient pam_ldap.so use_first_pass
>
> password required pam_cracklib.so retry=3 minlen=2 dcredit=0
> ucredit=0 ucredit=0
> password sufficient pam_unix.so nullok use_authtok md5 shadow
> password sufficient /lib/security/pam_krb5.so debug
> password required pam_deny.so
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session required pam_limits.so
> session required pam_unix.so
> session optional /lib/security/pam_krb5.so
>
> I can connect but in the slapd log, it connect to ldap using BIND dn=""
> and then it auth using sasl
>
> If i try whoami for example the BIND dn is also = ""
>
> So,
> If I put
> use_sasl on
> pam_sasl_mech GSSAPI
>
> in /etc/ldap.conf
>
> now slapd log BIND dn authcid="user at realm"
>
> so it seems ok, but now i cannpot use kdm to connect from my station
> removing the new conf from ldap.conf solved my prob but I'm back with
> the bin dn= ""
>
> Do you have a system-auth + ldap.conf sample for krb5 + openldap ?
>
> thanks !
>
> _______________________________________________
> rhn-users mailing list
> rhn-users at redhat.com
> https://www.redhat.com/mailman/listinfo/rhn-users
>
More information about the rhn-users
mailing list