KERBEROS+SASL+OPENLDAP : login but no ticket
Sensei
senseiwa at mac.com
Fri Feb 10 13:21:20 EST 2006
On 2006-02-10 15:16:07 +0100, "jeremy.briffaut at gmail.com"
<jeremy.briffaut at gmail.com> said:
> Yes, It's the first solution that I have tried.
> login->pam_krb5->kerberos + ldap for account
>
> And I would to test the login->pam_ldap->openldap->SASL->kerberos just
> for fun :)
> with this way, all client can connect to the server with ldap (no need
> of kerberos). Kerberos client can supplementary have a ticket. But I
> don't know if this is possible with just ldap in pam.
> But kerb and next ldap in pam works.
But this means that the password is in LDAP, you have NO credentials
upon login. SASL/GSSAPI are meant to be used against kerberos granting
access to some resources like ldap entries, not to obtain a ticket...
--
Sensei <senseiwa at mac.com>
Part of the inhumanity of the computer is that, once it is competently
programmed and working smoothly, it is completely honest. (Isaac Asimov)
More information about the Kerberos
mailing list