Jonathan Schreiter wrote:
I am interested in switching from MIT Kerberos5 (GSSAPI/SASL), OpenLDAP to FDS.
Primarily, I'm looking for authentication and authorization for fedora / centos
console logins (via PAM).
Currently I have a cron job that keeps a kerberos service principal alive to allow slapd
to bind to openldap (as I've also disabled anonymous binds). I also have startTLS
running w/o client authentication (just server certificates and the local client has the
CA pub cert).
I then have nsswitch/pam configured to use these for console (console,ssh,etc) logins.
I'm currently using the pam_sasl_mech GSSAPI and pam_groupdn features of the
/etc/ldap.conf (/etc/openldap/ldap.conf) to manage authorization to the local system (by
pointint to a posix group dn).
I was able to setup FDS to for console sessions with cleartext and nsswitch. I'm not
sure which route to take in terms of locking down FDS with a pure linux environment. The
straight SSL certificate approach seems to want the user to enter a password before a
bind, so I'm not sure that's compatible with PAM. Is TLS a better option for
this? The last option seems to be to keep Kerberos / GSSAPI, but I've read some posts
where you can't easily do this.
It's not that bad.
I've tried to make the SASL mapping as the docs show, but was
I think your best option is to just keep Kerberos for authentication,
especially if you are already using it successfully for other apps.
What problems did you have with SASL mapping?
Did you see this - http://directory.fedora.redhat.com/wiki/Howto:Kerberos
Can anyone point me in the right direction for the best way to
accomplish secure PAM / FDS integraion? Any help would be greatly appreciated.
Fedora-directory-users mailing list