Christopher Allen Wing wingc at
Tue Apr 3 09:07:34 EDT 2007


On Tue, 3 Apr 2007, Jason Gerfen wrote:

> Hello,
> I am not sure where to ask this but I have been working on a project
> for my employer which implements some OpenLDAP/ Active Directory
> lookup information for the existing pam_krb5 module maintained by
> Nalin Dahyabhai.
> Does your group accept proposals regarding *new features for the krb5.conf?
> If so, I am proposing the following type of configuration directives be added;
> [appdefaults]
> pam = {
> 	ticket_lifetime = 1d
> 	...
>        schema_type = [ad | ldap]
>        server_list =

This configuration section in krb5.conf is 'application-specific', thus 
you shouldn't need to coordinate its syntax with MIT or other Kerberos 
implementations.  It's specific to Nalin's PAM module.

> I am currently using a separate configuration file to manage the
> application directives and for those that want to know something about
> the project here is a brief synopsis:
> Creates a local *password-less user account for the uid/gid mapping
> currently in the pam_krb5 authentication process from results of the
> ldap / active directory lookup on the user name. Please note that
> unlike the nss_ldap, pam_ldap modules currently used this addition to
> the pam_krb5 module does NOT try to authenticate the user using ldap,
> it simply uses it as a method of looking up remote users vs. using nss
> etc. etc.

Are you going to implement principal mapping via the 'krbName' LDAP 
attribute?  That would be particularly interesting for me, since currently 
there is no good way to configure pam_krb5 to authenticate users in 
multiple realms, without maintaining a local mapping rules file on each 
host.  (problematic if you have 1000s of machines)

What else were you intending to do with LDAP?


Chris Wing
wingc at

More information about the krbdev mailing list