Kerberos and LDAP
Ronni Feldt
rofe at one.com
Fri Oct 31 04:43:55 EDT 2008
> > Now, I have read a lot, and seems to have lost the complete overview
> > of how it all works together. Can someone explain to me, just in a
> > superficial way, how it fits together or point me to a link?
>
> There's nothing special really. NSS is used to get user metadata
> (username, id, gid, homedir, shell, etc..), and PAM is used to perform
> the actual verification of user credentials (login allowed or not).
> And nscd is there just to cache NSS results so that the remote lookup
> is not performed all the time.
Okey, this means it's something like this:
1. User login
2. PAM authenticates the user using info in /etc/pam.d/common-auth,
which tells it to use info from the local workstation and kerberos,
because of:
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
In this step PAM is also using /etc/pam.d/common-password to find out
how to evaluate passwords. Again both local passwords and passwords in
Kerberos will do.
password sufficient pam_unix.so nullok obscure md5
password required pam_krb5.so use_first_pass
Question: Am I missing a password required pam_deny.so here?
3. If the user authentication is successful, PAM
uses /etc/pam.d/common-account to grant privileges to the user; the
ressources that the user may have access to. Again local information is
okey, as well as information from LDAP and Kerberos (Why Kerberos? It
only authenticates.)
account sufficient pam_unix.so
account required pam_ldap.so
account required pam_krb5.so
In the steps above, PAM is using NSS (/etc/nsswitch.conf) to get
information about username, privileges etc. NSS bridges the information
from LDAP and/or local information to PAM.
/etc/nsswitch.conf
passwd: ldap files
group: ldap files
shadow: ldap files
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Is that correct ?
- Ronni
More information about the Kerberos
mailing list