I would like to use the pam_passthru plugin to use kerberos
authentication via pam_krb5, but am running into a few issues. I
need to specify an attribute to use, as I have multiple realms--my
uid is just a login name, for the kerberos to work I need
<uid>@<realm>. I wasn't sure what to use for the attribute, and was
thinking of hijacking the 'description' attribute for this purpose.
However another posting to this list gave me the idea of just
extending the schema with an additional attribute in 99user.ldif. I
would likely want to copy the definition for 'uid' from, say class
posixaccount, but rename it to krb5uid or something. Can anyone
point me to detailed instructions? Is this trivial or difficult? I
looked at the current schema files and was not sure what I wold need
to copy to make it work, and how to add the new attribute explicitly
to the class schema as an optional attribute.
What are the consequences of adding such an attribute when
replication is occurring? I assume I must extend the schema on each
server, what happens if I neglect to extend the schema on one server
and it receives replica info that has this new attribute populated
for some users?
I would also entertain the idea of having an attribute with just the
realm (or a proxy for the realm), and constructing the krbuid
equivalent via some operational attribute that constructs it via uid
+ "@" + realm on the fly, if this is possible. I might even be able
to do this using existing location attribute or another existing
attribute, I can easily determine the correct realm from
corresponding location-specific info associated with each user. But,
I don't know how to do this in practice.
Also, if anyone has an example pam ldapserver file they could share,
I would appreciate it.
-Marty