kdm cannot access to openldap database
cloc3
ziapannocchia at gmail.com
Fri Feb 13 21:25:23 EST 2009
On Feb 13, 10:16 pm, Luke Scharf <luke.sch... at clusterbee.net> wrote:
>
> Using an x509 host-certificate for host-level authentication?
>
> -Luke
I've done something simpler.
first of alll, I've created a kerberos user for pam services, with a
random key and I've added it to /etc/ldap/ldap.keytab file.
kadmin.local -q "addprinc -randkey pam at EXAMPLE.COM"
kadmin.local -q "ktadd -k /etc/ldap/ldap.keytab"
after, I've added a kinit instruction in /etc/init.d/kdm service
script:
kinit -kt /etc/ldap/ldap.keytab pam at EXAMPLE.COM
at the end, I have a problem for kdm(-3.5): the program needs to
access the loginShell openldap attribute to add the user to the
userlist. But loginShel has often a limited access.
So, I added this to slapd.access:
access to attrs=loginShell
by dn=uid=pam,cn=paschini.edu,cn=gssapi,cn=auth read
by dn="cn=admin,dc=paschini,dc=edu" write
by anonymous auth
by self write
by * none
More information about the Kerberos
mailing list