Kerberos-Gssapi-ldap-pam interaction

Jerome Walter walter+SP at M.efrei.fr
Thu May 15 07:40:16 EDT 2003 

Dans l'article <87y919e9aj.fsf at papadoc.bayour.com>, Turbo Fredriksson a écrit :
>>>>>> "Jerome" == Jerome Walter <walter+SP at M.efrei.fr> writes:
> 
>    Jerome> Dans l'article <877k8tfzjb.fsf at papadoc.bayour.com>, Turbo
>    Jerome> Fredriksson a écrit :
> 
>    >>>>>>> "Jerome" == Jerome Walter <walter+SP at M.efrei.fr> writes:
> 
>     >>  What is saying 'Insufficient credentials'? PAM/LDAP? Login?
> 
>    Jerome> Mmmh, at login, PAM/LDAP i guess. It appears in the
>    Jerome> auth.log : May 14 16:39:23 veau login[735]: pam_ldap:
>    Jerome> error trying to bind (invalid credentials)
> 
> Did you allow anonymous read to the posixAccount attributes? Might
> not be the best solution, but it beats having a DN/password in the
> file system that can read it...

Nope.
Isn't possible to use gssapi authentication within the Pam accounting process
?

> 
>    Jerome> Is there someone who have ever installed such a config ?
>     >>  On a NUMBER of machines. Rocks MY world! :)
> 
>    Jerome> I know that. Got your doc just next to the keyboard ;)
>    Jerome> There is a few things to change though.
> 
> Such as?

Mmmmh, some of the packets just debuilded don't need to be (anymore?).

I just used libsasl-gssapi-mit and had no need to apt-get source and change
the rules.
This has avoided me the fact that when compiling sasl and openldap i had
conflict with the berkeley db (sasl asked for 2.0 and openldap for 4.0 ...).

Plus some other little things. I'll give you all my comments about it when
i'll have this version working. For the moment, strikes in Paris kepts me at
home ;)

>    Jerome> Did you ever PAM to the LDAP to get accounting info ? It
>    Jerome> do not appears, just pam_krb5 which works great for me.
> 
> http://www.bayour.com/LDAPv3-HOWTO.html#5.3.1.Building%20and%20installation|outline

Yep, everything works fine, except that i have no TLS compiled (will do it in
the future, but for this first step, i want to use as much already existing
debian packets as possible).

>    Jerome> My first thoughts where that it could come from
>    Jerome> supportedSASLmechanisms, which only returns GSSAPI and not
>    Jerome> plain, anonymous nor login...
> 
> I have ONLY GSSAPI enabled....

Ok, seeing the four in your doc disapointed me a little ;)

> 
>    Jerome> Perhaps on the other hand i made an error configuring
>    Jerome> libnss-ldap, but i do not know how to test it.
> 
> Did you specify 'binddn' etc? You shouldn't (have to)... Mine looks like:

Nope, in the first try i kept the default files debian have set ...

[snip]

>    Jerome> Yep, but my administrator won't give the root password to
>    Jerome> the students who, like me, have some rights to rm, kill,
>    Jerome> renice or reboot some stations when needed (some other
>    Jerome> students do not use their unix account very properly ;)
> 
> You don't have to, that's the beauty! All you do is create the file
> '/root/.k5login' with the principals that should have FULL access,
> or '/root/.k5users' with principal and command. And you authenticate
> with your own ticket!

It rocks ! Perhaps users would be disapointed if i change it, but nevermind
...


Jerome
-- 
-+--   Jérôme Walter - 	I2 EFREI		          ----+-
 Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
 "The World is my country" - "Nihon no tomodachi desu"
EFREI System and Networking guide http://perso.efrei.fr/~walter/

More information about the Kerberos mailing list