Kerberos-Gssapi-ldap-pam interaction

[Turbo Fredriksson]

>>>>> "Jerome" == Jerome Walter <walter+SP at M.efrei.fr> writes:

    Jerome> Dans l'article <877k8tfzjb.fsf at papadoc.bayour.com>, Turbo
    Jerome> Fredriksson a écrit :

    >>>>>>> "Jerome" == Jerome Walter <walter+SP at M.efrei.fr> writes:

    >>  What is saying 'Insufficient credentials'? PAM/LDAP? Login?

    Jerome> Mmmh, at login, PAM/LDAP i guess. It appears in the
    Jerome> auth.log : May 14 16:39:23 veau login[735]: pam_ldap:
    Jerome> error trying to bind (invalid credentials)

Did you allow anonymous read to the posixAccount attributes? Might
not be the best solution, but it beats having a DN/password in the
file system that can read it...

    Jerome> Is there someone who have ever installed such a config ?
    >>  On a NUMBER of machines. Rocks MY world! :)

    Jerome> I know that. Got your doc just next to the keyboard ;)
    Jerome> There is a few things to change though.

Such as?

    Jerome> Did you ever PAM to the LDAP to get accounting info ? It
    Jerome> do not appears, just pam_krb5 which works great for me.

http://www.bayour.com/LDAPv3-HOWTO.html#5.3.1.Building%20and%20installation|outline

    Jerome> My first thoughts where that it could come from
    Jerome> supportedSASLmechanisms, which only returns GSSAPI and not
    Jerome> plain, anonymous nor login...

I have ONLY GSSAPI enabled....

    Jerome> Perhaps on the other hand i made an error configuring
    Jerome> libnss-ldap, but i do not know how to test it.

Did you specify 'binddn' etc? You shouldn't (have to)... Mine looks like:

----- s n i p -----
uri ldaps://LDAPSERVER/
base dc=com
ldap_version 2
----- s n i p -----

That's IT!! And the LibPAM/LDAP config file looks like:

----- s n i p -----
uri ldaps://LDAPSERVER/
base dc=com
ldap_version 2
pam_crypt local
----- s n i p -----

    Jerome> Finally, is there something special to do to make sudo and
    Jerome> ssh not requiring entering the password again ?
    Jerome> try_first_pass does not seem to work...
    >>  I don't care. I use 'ksu' instead :)

    Jerome> Yep, but my administrator won't give the root password to
    Jerome> the students who, like me, have some rights to rm, kill,
    Jerome> renice or reboot some stations when needed (some other
    Jerome> students do not use their unix account very properly ;)

You don't have to, that's the beauty! All you do is create the file
'/root/.k5login' with the principals that should have FULL access,
or '/root/.k5users' with principal and command. And you authenticate
with your own ticket!

        man ksu

The files '/root/.k5{login,users}' would (closley, but with better
security) resemble and replace sudo.