LDAP + Kerberos grouping/password
Douglas E. Engert
deengert at anl.gov
Fri Dec 19 10:59:56 EST 2008
Mathew Rowley wrote:
> Do you have to sync passwords between Kerberos and LDAP if I am using LDAP
> for user specific information? For example, if I ssh to a box, I want it to
> authenticate with kerberos, but get the gid/uid/shell/homedir from LDAP. Is
> there a way to specify the LDAP PAM module to not to auth against LDAP, just
> get the user information?
Not clear why you want to sync passwords. If you want to use Kerberos
for authentication, don't authenticate to LDAP, and don't use the
passwords. Depending on your OS, you can have them set to NP or *NP*
so they can't be used.
So don't use the pam_ldap. Let nsswitch find ldap for getting the
rest of the info and use pam_krb5.
>
> Thanks.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list