pass-thru questions

>> How does use of this plugin relate to setting the
userPassword attribute to something like 'userREALM'? 
Is that a completely separate method for using kerberos?
>Yes.  It is completely different and doesn't use a
special userPassword 
>value.

Where would it be appropriate to use the userREALM
method?  Any pointers to read up on it?  I think an earlier
message thread indicated it was deprecated...  I'm not sure
which is the best for my situation.  If it required
saslauthd, for instance, that would not work for me.

>SASL mapping should work for SASL BINDs.  The PAM
passthru plugin should 
>only be used in those cases where you have a client that
only supports 
>simple (i.e. username/password) BIND.

I guess I'm not 100% sure how this will work for, say,
someone logging in via a console.  Right now, I have a pam
modules stack with pam_ldap.so followed by pam_krb5.so.  How
would a login at a console terminal (either text or RH
graphical Xwindows login) result in an SASL bind to LDAP? 
My /etc/ldap.conf is set for anonymous binds.  Perhaps I
should reverse the order and have krb5 before ldap, as I
want krb5 to be used ultimately for authentication.  Right
now, the user might have an LDAP password and a separate
krb5 password, if they log in with the krb5 password they
get KerberosV credentials as shown by klist.

To be clear again, I would still need the passthrough to
support the cross-realm situation, I think.  So maybe ldap
before krb5 is just fine for that reason.

Another more general question.  As I want to use the
passthrough module strictly to do the the Kerberos logins, I
assume the 'ldapserver' pam file would only need pam_krb5.so
and not, for example, pam_unix.so.  Is that right?

Thanks!

Marty

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

MJD Shop Account wrote:
>>> How does use of this plugin relate to setting
the userPassword attribute to something like
'userREALM'?  Is that a completely separate
method for using kerberos?
>>>       
>> Yes.  It is completely different and doesn't use a
special userPassword 
>> value.
>>     
>
> Where would it be appropriate to use the
userREALM method?  Any pointers to read up on
it?  I think an earlier message thread indicated it was
deprecated...  I'm not sure which is the best for my
situation.  If it required saslauthd, for instance, that
would not work for me.
>   
Fedora DS does not support the userREALM
method in the 
userPassword attribute.  That is an OpenLDAP only feature,
AFAIK.
>   
>> SASL mapping should work for SASL BINDs.  The PAM
passthru plugin should 
>> only be used in those cases where you have a client
that only supports 
>> simple (i.e. username/password) BIND.
>>     
>
> I guess I'm not 100% sure how this will work for, say,
someone logging in via a console.  Right now, I have a pam
modules stack with pam_ldap.so followed by pam_krb5.so.  How
would a login at a console terminal (either text or RH
graphical Xwindows login) result in an SASL bind to LDAP? 
My /etc/ldap.conf is set for anonymous binds.  Perhaps I
should reverse the order and have krb5 before ldap, as I
want krb5 to be used ultimately for authentication.  Right
now, the user might have an LDAP password and a separate
krb5 password, if they log in with the krb5 password they
get KerberosV credentials as shown by klist.
>
> To be clear again, I would still need the passthrough
to support the cross-realm situation, I think.  So maybe
ldap before krb5 is just fine for that reason.
>
> Another more general question.  As I want to use the
passthrough module strictly to do the the Kerberos logins, I
assume the 'ldapserver' pam file would only need pam_krb5.so
and not, for example, pam_unix.so.  Is that right?
>   
I think so, but I'm not sure.  You'll have to ask a PAM guru
for that.
> Thanks!
>
> Marty
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>   
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users