KERBEROS+SASL+OPENLDAP : login but no ticket
Douglas E. Engert
deengert at anl.gov
Fri Feb 10 14:23:35 EST 2006
jeremy.briffaut at gmail.com wrote:
> Yes, It's the first solution that I have tried.
> login->pam_krb5->kerberos + ldap for account
>
> And I would to test the login->pam_ldap->openldap->SASL->kerberos just
> for fun :)
> with this way, all client can connect to the server with ldap (no need
> of kerberos). Kerberos client can supplementary have a ticket.
Not really. The user has not authenticated to the client machine.
The user has only authenticated to the ldap server, and the machine should not
trust this, as it has no bindings to the ldap server.
You need to look closely at where the user and password are used and how
does the machine verify that it is the correct ldap server.
But I
> don't know if this is possible with just ldap in pam.
> But kerb and next ldap in pam works.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list