NIS => Kerberos/LDAP Migration
Russ Allbery
rra at stanford.edu
Tue May 19 15:03:59 EDT 2009
Marcus Watts <mdw at umich.edu> writes:
> I'm not sure I understand why
> Authen::Krb5::Admin
> http://search.cpan.org/~korty/Authen-Krb5-Admin-0.11/Admin.pm
> is a problem. I've run it with various incarnations of MIT 1.4.3 /
> 1.6.3 for a while now. Ok, they weren't stock, but I don't remember doing
> anything special to export the necessary kadm5 functions. The only messy
> bit is that Authen::Krb5::Admin provides its own header files for the MIT
> functions - that sucks, but that having been said, it basically works.
> Is there something special about debian's MIT kerberos libraries?
That works -- you just can't use it in a PAM module. PAM modules
generally need to be C. I suppose you could embed a Perl interpreter in
a PAM module, but that terrifies me. You could also write a PAM module
that talks to something written in Perl via a local socket or something,
but now you're getting into a fair bit of coding.
> Instead of cloning the headers (like Authen::Krb5::Admin does) it
> should also be quite feasible to just get the debian source package
> for k5, configure or build as necessary, rip the desired headers out,
> modify as necessary, and use them direct. Admittedly, this is a hack,
> and a bad idea, and all that, but for migration purposes (surely you
> don't plan on doing this long-term?) this ought to suffice. Here's a
> mail message I posted May 2007 that describes how to do this:
> http://mailman.mit.edu/pipermail/krbdev/2007-March/005702.html
Yeah, you could do this.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list