Kerberos and LDAP
Davor Ocelic
docelic at mail.inet.hr
Thu Oct 30 09:41:54 EDT 2008
On Thu, 30 Oct 2008 14:05:05 +0100
Ronni Feldt <rofe at one.com> wrote:
> Hi,
>
> It worked!
>
> I tried 'id ronni' which did not work.
> Then I stopped nscd and success! I am now able to login using the user
> in LDAP.
Nscd is a caching daemon; so after it caches information about
'ronni' not existing, it will not figure out you added it until
you run nscd -i passwd or restart it.
> Now, I have read a lot, and seems to have lost the complete overview
> of how it all works together. Can someone explain to me, just in a
> superficial way, how it fits together or point me to a link?
There's nothing special really. NSS is used to get user metadata
(username, id, gid, homedir, shell, etc..), and PAM is used to perform
the actual verification of user credentials (login allowed or not).
And nscd is there just to cache NSS results so that the remote lookup
is not performed all the time.
> My next step is to get Kerberos working with SSH, as I understand it,
> I have to configure SSH to use Kerberos to authenticate the user by
> forwarding my local Kerberos key; is that correct?
Getting ssh work with kerberos is 2 or 3 lines...
sshd_config file something like:
KerberosAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
And ssh_config (client) file something like:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
-doc
More information about the Kerberos
mailing list