[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] pam_ldap + krb5 auth
From:       FM <dist-list () LEXUM ! UMontreal ! CA>
Date:       2004-12-13 21:49:36
Message-ID: 41BE0E70.8010600 () lexum ! umontreal ! ca
[Download RAW message or body]

I installed openldap 2.2.x with krb5 (SASL).

Now I am trying to set my station to authenticate my station

my system-auth look like this :
auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_krb5.so use_first_pass debug
auth        required      pam_deny.so
account     sufficient    pam_unix.so
account     required      pam_deny.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore]   /lib/security/pam_krb5.so debug
account     sufficient    pam_ldap.so use_first_pass

password    required      pam_cracklib.so retry=3 minlen=2  dcredit=0
ucredit=0 ucredit=0
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_krb5.so debug
password    required      pam_deny.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      /lib/security/pam_krb5.so


I can connect but in the slapd log, it connect to ldap using BIND dn=""
and then it auth using sasl

If i try whoami for example the BIND dn is also = ""

So,
If I put
use_sasl on
pam_sasl_mech GSSAPI

in /etc/ldap.conf

now slapd log BIND dn  authcid="user@realm"

so it seems ok, but now i cannpot use kdm to connect from my station
removing the new conf from ldap.conf solved my prob but I'm back with
the bin dn= ""




Do you have a system-auth + ldap.conf sample for krb5 + openldap ?


thanks !





[prev in list] [next in list] [prev in thread] [next in thread]