Pam_ldap, pam_kerberos via Active Directory
I have been scouring the net for documentation of setting up a SuSe 9.0 client to use pam_krb5 for authentication and then use pam_ldap to obtain user profile information. (Similar to a roaming profile on Windows environments). I have been using YaSt2 to configure the pam_krb5 and pam_ldap information specific to our environment. As of now I can get the user to authenticate successfully against a Windows Kerberos server, however it still needs to have a local account setup in order to authenticate successfully. I recieve errors when trying to use YaSt2 to look in the LDAP directory and recieve errors with container object not found or invalid credentials. If I use ldapsearch from the command line I can successfully look up a specified user which means from the command line I can bind and search the active directory database. Has anyone else run into this problem? When I check logs for the YaSt2 it seems to be putting in an extra CN=Configuration before my root DN information. Any help is appreciated. -- Jason Gerfen Student Computing Group jason.Gerfen@scl.utah.edu "whoa... you mean this isn't woodshop class?" ~ cereal killer (as in fruit loops) Hackers 1989
On Friday 16 April 2004 03:34, Jason Gerfen wrote:
I have been scouring the net for documentation of setting up a SuSe 9.0 client to use pam_krb5 for authentication and then use pam_ldap to obtain user profile information. (Similar to a roaming profile on Windows environments). I have been using YaSt2 to configure the pam_krb5 and pam_ldap information specific to our environment.
I'm interested in this too, we have a well maintained Active Directory of all CSIRO employees, that I want to query and use.
As of now I can get the user to authenticate successfully against a Windows Kerberos server, however it still needs to have a local account setup in order to authenticate successfully.
Yep same here. Using pam_krb5 by modifying /etc/pam.d/sshd and /etc/krb5.conf What I wish for is an openLDAP gateway: one that provides the Unix standard schema for accounts, and backends into AD with appropriate overlays and munging. ie: unix uid numbers are overlaid from an external source, groups are distilled (using a regexp) out of AD groups or other info. home dirs are brewed out of parts, /home/<group>/<username>/ Please keep me posted on how you go, michaelj -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166
Will do. I am trying to get remote access or a roaming profile setup for linux clients. I am not trying to get support for any specific applications or services but I will let you know what I come up with if I ever find a solution. Michael James wrote:
On Friday 16 April 2004 03:34, Jason Gerfen wrote:
I have been scouring the net for documentation of setting up a SuSe 9.0 client to use pam_krb5 for authentication and then use pam_ldap to obtain user profile information. (Similar to a roaming profile on Windows environments). I have been using YaSt2 to configure the pam_krb5 and pam_ldap information specific to our environment.
I'm interested in this too, we have a well maintained Active Directory of all CSIRO employees, that I want to query and use.
As of now I can get the user to authenticate successfully against a Windows Kerberos server, however it still needs to have a local account setup in order to authenticate successfully.
Yep same here. Using pam_krb5 by modifying /etc/pam.d/sshd and /etc/krb5.conf
What I wish for is an openLDAP gateway: one that provides the Unix standard schema for accounts, and backends into AD with appropriate overlays and munging.
ie: unix uid numbers are overlaid from an external source, groups are distilled (using a regexp) out of AD groups or other info. home dirs are brewed out of parts, /home/<group>/<username>/
Please keep me posted on how you go, michaelj
-- Jason Gerfen "whoa... you mean this isn't woodshop class?" ~ cereal killer (as in fruit loops) Hackers 1989
participants (2)
-
Jason Gerfen
-
Michael James