Douglas E. Engert deengert at
Tue Apr 3 09:35:56 EDT 2007

Jason Gerfen wrote:
> Hello,
> I am not sure where to ask this but I have been working on a project
> for my employer which implements some OpenLDAP/ Active Directory
> lookup information for the existing pam_krb5 module maintained by
> Nalin Dahyabhai.
> Does your group accept proposals regarding *new features for the krb5.conf?
> If so, I am proposing the following type of configuration directives be added;
> [appdefaults]
> pam = {
> 	ticket_lifetime = 1d
> 	...
>         schema_type = [ad | ldap]
>         server_list =
>         ldap_port = 389
>         ldap_ssl = [ ssl | tls ]
>         bind_dn = uid=username,ou=container,dc=domain,dc=com
>         base_dn = ou=listofusers,dc=domain,dc=com
>         read_user = readonlyusername
>         ldap_pass =  [md5hash of password]
> }
> If I am indeed asking the wrong questions or proposing something that
> would be better off implemented using a separate configuration file
> etc. etc. Let me know.
> I am currently using a separate configuration file to manage the
> application directives and for those that want to know something about
> the project here is a brief synopsis:
> Creates a local *password-less user account for the uid/gid mapping
> currently in the pam_krb5 authentication process from results of the
> ldap / active directory lookup on the user name. Please note that
> unlike the nss_ldap, pam_ldap modules currently used this addition to
> the pam_krb5 module does NOT try to authenticate the user using ldap,
> it simply uses it as a method of looking up remote users vs. using nss
> etc. etc.

You meantion the nss_ldap and pam_ldap, but you can use nss_ldap without
pam_ldap. Thus a pam_krb5 with the nss_ldap should do every thing you are 
proposing to do since the getpwnam and related routines used by pam_krb5
all end up using nsswitch.conf and thus can use nss_ldap. Also AD
does have some support for RFC 2307. Am I missing something?

If you are not going to use nss_ldap, how will you handle calls to
getpwnam and friends by other non-login programs for example "ls" which
needs to map uid to names?

Also look at nscd that will cache information obtained via nsswitch
including nss_ldap. If nss_ldap is not good enough for your applicaiton,
why not look at modifying nss_ldap?

So I would say the use of the krb5.conf is not the place for your

In any case, since this is a Kerberos list, why are you still using
simple bind, and not SASL with GSSAPI using the host principal? That
works with AD, if the host is registered.

> Any feedback is appreciated.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list