hi, i have read as much as i can on the web about this subject (including the stuff at bayour.com, ofb.net/~jheiss/krbldap/ and relevant posting on this mailing list) and was wondering if somebody could help me fill in the missing pieces. i have set up a kerberos realm, and an ldap server. with this setup i can get a ticket from the tgs, and using this identity authenticate against the ldap server. the sasl-regexp is setup correctly and ldapwhoami returns the correct user and information, using sasl authentication. the final piece of the puzzle i am trying to solve is to login securely using this setup. there have been posts on this list stating that pam_krb5 is a bad solution for the pam login service, as for services such as telnet the password is sent in plain text across the network, defeating the purpose of using kerberos. therefore the only secure method is to use pam_ldap, and force an ssl connection between the client and server. so far so good, another point raised is unless authentication is only possible against the ldap server and the passwords are held in kerberos there is no need to use the userPassword attribute with the {kerberos}XXXXXXX mechanism, which forces the ldap server to retrieve the password from the kerberos server. what i can't figure out is how to hold directory information in the ldap server, the password in kerberos and setup pam_ldap to use the password given to the login process to aquire a ticket from the kerberos server, and have ldap/sasl-gssapi use the identity based on the kerberos authentication to retrieve all the neccessary account and user information from the ldap server (shell, user, uidnumber etc.). if anybody has setup this configuration could they please outline the steps taken to setup pam_ldap and the pam.d/login (or system-auth) files correctly. thanks in advance -- adi
Attachment:
pgpW8QrzLopff.pgp
Description: PGP signature