FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-25-2008, 07:58 PM
Tim Hartmann
 
Default Directory Server Authentication Pass through with Kerberos or saslauthd

Hi all, I've run into some configuration trouble with our Red Hat Directory server V 8.0 and was hoping someone on this list might be able to shed a little light on my darkened, troubled and confused brow!

We've got the directory running pretty and have enabled gssapi to allow
us to bind with our Kerberos Tickets, so if I do an LDAP query and bind with gssapi with a valid TGT all is well! (hurray) However thats really only PART of what we hope to do with Kerberos and Red Hat Directory Server... we'd also like to be able to use Kerberos as the password database for LDAP... so that a non kerberos aware application which just wants to bind to ldap will be able to bind to the directory, unaware that Kerberos is actually being used as the password store and means of auth..

I found a pretty good HOWTO for how to do this with open ldap:
http://www.ba.infn.it/~domenico/docs/AAIFiles/openLDAP.html

Way down at the bottom where it says "Kerberos as back-end database for LDAP password" is exactly what I'd like to accomplish! Is there a means to do the same thing in FDS? I also found this documentations:

http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through

Which seems like it could work, but seems kind of like a hack for what i'm trying to do and it seemed like I couldn't be the only one who wanted to do it! I suspect there's something I'm just missing!

Thanks for the time, and any help would be much appreciated!

Tim


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-25-2008, 08:15 PM
Rich Megginson
 
Default Directory Server Authentication Pass through with Kerberos or saslauthd

Tim Hartmann wrote:
Hi all, I've run into some configuration trouble with our Red Hat Directory server V 8.0 and was hoping someone on this list might be able to shed a little light on my darkened, troubled and confused brow!


We've got the directory running pretty and have enabled gssapi to allow
us to bind with our Kerberos Tickets, so if I do an LDAP query and bind with gssapi with a valid TGT all is well! (hurray) However thats really only PART of what we hope to do with Kerberos and Red Hat Directory Server... we'd also like to be able to use Kerberos as the password database for LDAP... so that a non kerberos aware application which just wants to bind to ldap will be able to bind to the directory, unaware that Kerberos is actually being used as the password store and means of auth..

I found a pretty good HOWTO for how to do this with open ldap:
http://www.ba.infn.it/~domenico/docs/AAIFiles/openLDAP.html


Way down at the bottom where it says "Kerberos as back-end database for LDAP password" is exactly what I'd like to accomplish! Is there a means to do the same thing in FDS? I also found this documentations:

http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through

Which seems like it could work, but seems kind of like a hack for what i'm trying to do and it seemed like I couldn't be the only one who wanted to do it! I suspect there's something I'm just missing!

That hack was invented for those who wanted to use Kerberos as the
authoritative source for password information. pampassthru passes the
password to Kerberos via pam.


If you're really interested in using Fedora DS as the authoritative
source for password information, and have Kerberos use Fedora DS to
store the passwords, you really need freeipa.org
Thanks for the time, and any help would be much appreciated!


Tim



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-25-2008, 09:15 PM
Tim Hartmann
 
Default Directory Server Authentication Pass through with Kerberos or saslauthd

Hi Rich thanks for the reply!

Rich Megginson wrote:
>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
>>
>> Which seems like it could work, but seems kind of like a hack for
>> what i'm trying to do and it seemed like I couldn't be the only one
>> who wanted to do it! I suspect there's something I'm just missing!
> That hack was invented for those who wanted to use Kerberos as the
> authoritative source for password information. pampassthru passes the
> password to Kerberos via pam.
>
Thats *really* what I'd like to do... actually keep Kerberos as my
authoritative source for password data, I was hoping there might have
been a saslauthd plugin that I may have missed to proxy passwords back
to ldap as well, or maybe some other step that I'd missed in my research.


> If you're really interested in using Fedora DS as the authoritative
> source for password information, and have Kerberos use Fedora DS to
> store the passwords, you really need freeipa.org

We took a look at Freeipa.org but it didn't seem to as good a fit for us
especially since we wanted to keep Kerberos as our password store. If I
can get simple binds to work through pam for those applications that
don't support GSS/SASL that would be a huge win!


Out of curiosity, was there any reason for proxing though pam rather
then something like saslauthd?


Thanks again!

Tim


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-25-2008, 09:15 PM
Tim Hartmann
 
Default Directory Server Authentication Pass through with Kerberos or saslauthd

Hi Rich thanks for the reply!

Rich Megginson wrote:
>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
>>
>> Which seems like it could work, but seems kind of like a hack for
>> what i'm trying to do and it seemed like I couldn't be the only one
>> who wanted to do it! I suspect there's something I'm just missing!
> That hack was invented for those who wanted to use Kerberos as the
> authoritative source for password information. pampassthru passes the
> password to Kerberos via pam.
>
Thats *really* what I'd like to do... actually keep Kerberos as my
authoritative source for password data, I was hoping there might have
been a saslauthd plugin that I may have missed to proxy passwords back
to ldap as well, or maybe some other step that I'd missed in my research.


> If you're really interested in using Fedora DS as the authoritative
> source for password information, and have Kerberos use Fedora DS to
> store the passwords, you really need freeipa.org

We took a look at Freeipa.org but it didn't seem to as good a fit for us
especially since we wanted to keep Kerberos as our password store. If I
can get simple binds to work through pam for those applications that
don't support GSS/SASL that would be a huge win!


Out of curiosity, was there any reason for proxing though pam rather
then something like saslauthd?


Thanks again!

Tim


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-25-2008, 09:35 PM
Rich Megginson
 
Default Directory Server Authentication Pass through with Kerberos or saslauthd

Tim Hartmann wrote:

Hi Rich thanks for the reply!

Rich Megginson wrote:


http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through

Which seems like it could work, but seems kind of like a hack for
what i'm trying to do and it seemed like I couldn't be the only one
who wanted to do it! I suspect there's something I'm just missing!


That hack was invented for those who wanted to use Kerberos as the
authoritative source for password information. pampassthru passes the
password to Kerberos via pam.



Thats *really* what I'd like to do... actually keep Kerberos as my
authoritative source for password data, I was hoping there might have
been a saslauthd plugin that I may have missed to proxy passwords back
to ldap as well, or maybe some other step that I'd missed in my research.




If you're really interested in using Fedora DS as the authoritative
source for password information, and have Kerberos use Fedora DS to
store the passwords, you really need freeipa.org



We took a look at Freeipa.org but it didn't seem to as good a fit for us
especially since we wanted to keep Kerberos as our password store. If I
can get simple binds to work through pam for those applications that
don't support GSS/SASL that would be a huge win!


Out of curiosity, was there any reason for proxing though pam rather
then something like saslauthd?

The people who wanted this feature didn't want the overhead of an
additional server daemon (saslauthd). They already had a pam stack that
did kerberos auth and they just wanted Fedora DS to use that - pam passthru.


Thanks again!

Tim


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-26-2008, 07:33 PM
Tim Hartmann
 
Default Directory Server Authentication Pass through with Kerberos or saslauthd

Rich,

Configuring the pam plugin went really well, and was really
straighforward to follow, thanks for putting up the docs online and
writing the pam plugin. I did have to pull over the
libpam-passthru-plugin.so file from a copy of Fedora Directory Server
v1.1, since it doesn't look like Red Hat Directory Server 8.0 ships
with it, the plugin lists as version 1.1 is that the appropriate
version of the library?

-Tim





Rich Megginson wrote:
> Tim Hartmann wrote:
>> Hi Rich thanks for the reply!
>>
>> Rich Megginson wrote:
>>
>>>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
>>>>
>>>> Which seems like it could work, but seems kind of like a hack for
>>>> what i'm trying to do and it seemed like I couldn't be the only one
>>>> who wanted to do it! I suspect there's something I'm just
>>>> missing!
>>> That hack was invented for those who wanted to use Kerberos as the
>>> authoritative source for password information. pampassthru passes the
>>> password to Kerberos via pam.
>>>
>>>
>> Thats *really* what I'd like to do... actually keep Kerberos as my
>> authoritative source for password data, I was hoping there might have
>> been a saslauthd plugin that I may have missed to proxy passwords back
>> to ldap as well, or maybe some other step that I'd missed in my
>> research.
>>
>>
>>
>>> If you're really interested in using Fedora DS as the authoritative
>>> source for password information, and have Kerberos use Fedora DS to
>>> store the passwords, you really need freeipa.org
>>>
>>
>> We took a look at Freeipa.org but it didn't seem to as good a fit for us
>> especially since we wanted to keep Kerberos as our password store. If I
>> can get simple binds to work through pam for those applications that
>> don't support GSS/SASL that would be a huge win!
>>
>>
>> Out of curiosity, was there any reason for proxing though pam rather
>> then something like saslauthd?
> The people who wanted this feature didn't want the overhead of an
> additional server daemon (saslauthd). They already had a pam stack
> that did kerberos auth and they just wanted Fedora DS to use that -
> pam passthru.
>>
>> Thanks again!
>>
>> Tim
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-26-2008, 08:11 PM
Rich Megginson
 
Default Directory Server Authentication Pass through with Kerberos or saslauthd

Tim Hartmann wrote:

Rich,

Configuring the pam plugin went really well, and was really
straighforward to follow, thanks for putting up the docs online and
writing the pam plugin. I did have to pull over the
libpam-passthru-plugin.so file from a copy of Fedora Directory Server

v1.1, since it doesn't look like Red Hat Directory Server 8.0 ships
with it, the plugin lists as version 1.1 is that the appropriate
version of the library?

Yes. Just make sure you use the FC-6 binary since that most closely
corresponds to RHEL5.

-Tim





Rich Megginson wrote:


Tim Hartmann wrote:


Hi Rich thanks for the reply!

Rich Megginson wrote:



http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through

Which seems like it could work, but seems kind of like a hack for
what i'm trying to do and it seemed like I couldn't be the only one
who wanted to do it! I suspect there's something I'm just
missing!


That hack was invented for those who wanted to use Kerberos as the
authoritative source for password information. pampassthru passes the
password to Kerberos via pam.




Thats *really* what I'd like to do... actually keep Kerberos as my
authoritative source for password data, I was hoping there might have
been a saslauthd plugin that I may have missed to proxy passwords back
to ldap as well, or maybe some other step that I'd missed in my
research.





If you're really interested in using Fedora DS as the authoritative
source for password information, and have Kerberos use Fedora DS to
store the passwords, you really need freeipa.org



We took a look at Freeipa.org but it didn't seem to as good a fit for us
especially since we wanted to keep Kerberos as our password store. If I
can get simple binds to work through pam for those applications that
don't support GSS/SASL that would be a huge win!


Out of curiosity, was there any reason for proxing though pam rather
then something like saslauthd?


The people who wanted this feature didn't want the overhead of an
additional server daemon (saslauthd). They already had a pam stack
that did kerberos auth and they just wanted Fedora DS to use that -
pam passthru.


Thanks again!

Tim


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 11:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org