Jason Gerfen jason.gerfen at
Tue Apr 3 08:35:48 EDT 2007

I am not sure where to ask this but I have been working on a project
for my employer which implements some OpenLDAP/ Active Directory
lookup information for the existing pam_krb5 module maintained by
Nalin Dahyabhai.

Does your group accept proposals regarding *new features for the krb5.conf?

If so, I am proposing the following type of configuration directives be added;

pam = {
	ticket_lifetime = 1d
        schema_type = [ad | ldap]
        server_list =
        ldap_port = 389
        ldap_ssl = [ ssl | tls ]
        bind_dn = uid=username,ou=container,dc=domain,dc=com
        base_dn = ou=listofusers,dc=domain,dc=com
        read_user = readonlyusername
        ldap_pass =  [md5hash of password]

If I am indeed asking the wrong questions or proposing something that
would be better off implemented using a separate configuration file
etc. etc. Let me know.

I am currently using a separate configuration file to manage the
application directives and for those that want to know something about
the project here is a brief synopsis:

Creates a local *password-less user account for the uid/gid mapping
currently in the pam_krb5 authentication process from results of the
ldap / active directory lookup on the user name. Please note that
unlike the nss_ldap, pam_ldap modules currently used this addition to
the pam_krb5 module does NOT try to authenticate the user using ldap,
it simply uses it as a method of looking up remote users vs. using nss
etc. etc.

Any feedback is appreciated.

Jason Gerfen
jason.gerfen at

More information about the krbdev mailing list