Fedora directory users - Nov 2006 - Re: pass-thru questions

>> How does use of this plugin relate to setting the userPassword
attribute to something like ''{KERBEROS}user@REALM''?  Is that a
completely separate method for using kerberos?
>Yes.  It is completely different and doesn''t use a special
userPassword
>value.
Where would it be appropriate to use the {KERBEROS}user@REALM method?  Any
pointers to read up on it?  I think an earlier message thread indicated it was
deprecated...  I''m not sure which is the best for my situation.  If it
required saslauthd, for instance, that would not work for me.
>SASL mapping should work for SASL BINDs.  The PAM passthru plugin should 
>only be used in those cases where you have a client that only supports 
>simple (i.e. username/password) BIND.
I guess I''m not 100% sure how this will work for, say, someone logging
in via a console.  Right now, I have a pam modules stack with pam_ldap.so
followed by pam_krb5.so.  How would a login at a console terminal (either text
or RH graphical Xwindows login) result in an SASL bind to LDAP?  My
/etc/ldap.conf is set for anonymous binds.  Perhaps I should reverse the order
and have krb5 before ldap, as I want krb5 to be used ultimately for
authentication.  Right now, the user might have an LDAP password and a separate
krb5 password, if they log in with the krb5 password they get KerberosV
credentials as shown by klist.

To be clear again, I would still need the passthrough to support the cross-realm
situation, I think.  So maybe ldap before krb5 is just fine for that reason.

Another more general question.  As I want to use the passthrough module strictly
to do the the Kerberos logins, I assume the ''ldapserver'' pam
file would only need pam_krb5.so and not, for example, pam_unix.so.  Is that
right?

Thanks!

Marty

MJD Shop Account wrote:
>>> How does use of this plugin relate to setting the userPassword
attribute to something like ''{KERBEROS}user@REALM''?  Is that a
completely separate method for using kerberos?
>>>       
>> Yes.  It is completely different and doesn''t use a special
userPassword
>> value.
>>     
>
> Where would it be appropriate to use the {KERBEROS}user@REALM method?  Any
pointers to read up on it?  I think an earlier message thread indicated it was
deprecated...  I''m not sure which is the best for my situation.  If it
required saslauthd, for instance, that would not work for me.
>   
Fedora DS does not support the {KERBEROS}user@REALM method in the 
userPassword attribute.  That is an OpenLDAP only feature,
AFAIK.
>   
>> SASL mapping should work for SASL BINDs.  The PAM passthru plugin
should
>> only be used in those cases where you have a client that only supports 
>> simple (i.e. username/password) BIND.
>>     
>
> I guess I''m not 100% sure how this will work for, say, someone
logging in via a console.  Right now, I have a pam modules stack with
pam_ldap.so followed by pam_krb5.so.  How would a login at a console terminal
(either text or RH graphical Xwindows login) result in an SASL bind to LDAP?  My
/etc/ldap.conf is set for anonymous binds.  Perhaps I should reverse the order
and have krb5 before ldap, as I want krb5 to be used ultimately for
authentication.  Right now, the user might have an LDAP password and a separate
krb5 password, if they log in with the krb5 password they get KerberosV
credentials as shown by klist.
>
> To be clear again, I would still need the passthrough to support the
cross-realm situation, I think.  So maybe ldap before krb5 is just fine for that
reason.
>
> Another more general question.  As I want to use the passthrough module
strictly to do the the Kerberos logins, I assume the
''ldapserver'' pam file would only need pam_krb5.so and not, for
example, pam_unix.so.  Is that right?
>   
I think so, but I''m not sure.  You''ll have to ask a PAM guru
for that.
> Thanks!
>
> Marty
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>