[Date Prev][Date Next] [Chronological] [Thread] [Top]

MIT Kerby 5/LDAP integration: Initial success?



Hi All-

Many thanks to all on this list who've helped me get to 
where I think I am now.

I'm kind of excited and writing to report what seems to 
be at least an initial success (still have to get AFS 
data worked into this picture), and to ask some more 
questions about how it works and where some things are 
stored (number of failed login attempts).

Here's what I've done:

1) Made a standard looking DIT 
(ou=People,dc=folkvang,dc=org);

2) Made a bunch of nodes under this container of type 
objectClass: inetOrgPerson; krb5Principal; 
krb5KDCEntry; posixAccount (all of them);

3) Made a sasl-regexp of:
uid=([^/]*),cn=FOLKVANG.ORG,cn=GSSAPI,cn=auth 
uid=$1,ou=People,dc=folkvang,dc=org

4) Made a single ACL rule that let self write cn, sn, 
telephoneNumber, seeAlso, description, title, 
preferredDeliveryMethod, telexNumber, 
facsimileTelephoneNumber, street, postOfficeBox, 
postalCode, postalAddress, physicalDeliveryOfficeName, 
carLicense, departmentNumber, displayName, givenName, 
homePhone, homePostalAddress, initials, jpegPhoto, 
labeledURI, mail, mobile, o, pager, photo, roomNumber, 
secretary, preferredLanguage, loginShell, gecos

4) and another that let * read *

5) I added some nonsense users to my KDC database, and 
populated the People nodes with some of these nonsense 
users with standard values for things like uid, 
uidNumber, gidNumber, etc.

6) on the client machine, configured pam for login, 
xdm, et. al. to use the pam_unix2 library, and then 
configured pam_unix2.conf as follows:
auth:   use_ldap call_modules=krb5afs nullok
account:        use_ldap call_modules=krb5afs
password:       use_ldap call_modules=krb5afs blowfish 
nullok
session:        none

(previously just used "call_modules=krb5afs")

7) Tried to login to the client as one of these 
nonsense users (never configured on client machine 
before, so no /etc/passwd entry, no home dir, nothing)

8) Success!  (warning about non-existent home directory 
as listed in the Directory entry for that user).

But I'm curious about one thing (maybe more).  At 
first, just to make sure I understood what was 
happening, I had a user entry in the Directory (john), 
but no corresponding principal in the KDC database.  
Naturally, this user could not login to the client 
machine.  However, login prompted twice for his 
password (once to check with the KDC?  A second time 
to check with a local /etc/shadow file?).  I tried him 
again with same results.

Then, I added his principal to the KDC and tried him 
again and success (yeah!).  But the login script 
reported the two failed attempts...  where is that 
data stored?  Not in the Directory, right?  Or if it 
is, in what field?  Is that information stored locally 
on the client?  Even though that user has no existence 
as far as the client machine is concerned?

Even though I apparently have the integration working 
to some degree, I'm sure there's still quite alot 
going on that I'm unaware of and/or don't understand, 
and that's probably a recipe for disaster, so I'm 
trying to understand everything about it.

Could someone point out some of the holes in my 
understanding?

Thanks everyone for all the help!

-Kevin