krb5.conf

[Christopher Allen Wing]

Jason:


On Tue, 3 Apr 2007, Jason Gerfen wrote:

> Hello,
> I am not sure where to ask this but I have been working on a project
> for my employer which implements some OpenLDAP/ Active Directory
> lookup information for the existing pam_krb5 module maintained by
> Nalin Dahyabhai.
>
> Does your group accept proposals regarding *new features for the krb5.conf?
>
> If so, I am proposing the following type of configuration directives be added;
>
> [appdefaults]
> pam = {
> 	ticket_lifetime = 1d
> 	...
>        schema_type = [ad | ldap]
>        server_list = server1.ldap.com server2.ldap.com

This configuration section in krb5.conf is 'application-specific', thus 
you shouldn't need to coordinate its syntax with MIT or other Kerberos 
implementations.  It's specific to Nalin's PAM module.

> I am currently using a separate configuration file to manage the
> application directives and for those that want to know something about
> the project here is a brief synopsis:
>
> Creates a local *password-less user account for the uid/gid mapping
> currently in the pam_krb5 authentication process from results of the
> ldap / active directory lookup on the user name. Please note that
> unlike the nss_ldap, pam_ldap modules currently used this addition to
> the pam_krb5 module does NOT try to authenticate the user using ldap,
> it simply uses it as a method of looking up remote users vs. using nss
> etc. etc.

Are you going to implement principal mapping via the 'krbName' LDAP 
attribute?  That would be particularly interesting for me, since currently 
there is no good way to configure pam_krb5 to authenticate users in 
multiple realms, without maintaining a local mapping rules file on each 
host.  (problematic if you have 1000s of machines)

What else were you intending to do with LDAP?


Thanks,

Chris Wing
wingc at engin.umich.edu