KERBEROS+SASL+OPENLDAP : login but no ticket

Douglas E. Engert deengert at anl.gov
Fri Feb 10 14:23:35 EST 2006



jeremy.briffaut at gmail.com wrote:

> Yes, It's the first solution that I have tried.
> login->pam_krb5->kerberos + ldap for account
> 
> And I would to test the login->pam_ldap->openldap->SASL->kerberos just
> for fun :)
> with this way, all client can connect to the server with ldap (no need
> of kerberos). Kerberos client can supplementary have a ticket. 

Not really. The user has not authenticated to the client machine.
The user has only authenticated to the ldap server, and the machine should not
trust this, as it has no bindings to the ldap server.

You need to look closely at where the user and password are used and how
does the machine verify that it is the correct ldap server.


But I
> don't know if this is possible with just ldap in pam.
> But kerb and next ldap in pam works.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list