https://github.com/jas-/pam_krb5-ldap

Patch for RedHat's pam_krb5 (https://fedorahosted.org/pam_krb5/) extending functionality by providing LDAP support for UID/GID mapping
https://github.com/jas-/pam_krb5-ldap

Last synced: about 2 months ago
JSON representation

Patch for RedHat's pam_krb5 (https://fedorahosted.org/pam_krb5/) extending functionality by providing LDAP support for UID/GID mapping

• Host: GitHub
• URL: https://github.com/jas-/pam_krb5-ldap
• Owner: jas-
• Created: 2011-03-18T15:21:23.000Z (about 14 years ago)
• Default Branch: master
• Last Pushed: 2014-04-03T14:54:57.000Z (about 11 years ago)
• Last Synced: 2025-01-28T14:47:08.254Z (4 months ago)
• Language: C
• Homepage:
• Size: 145 KB
• Stars: 1
• Watchers: 3
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.ldap

Awesome Lists containing this project

README

        
OpenLDAP/Active Directory Functionality

Assists with UID/GID mapping for users that are not stored

locally, but within an OpenLDAP or Active Directory.

In order to enable this functionality simply run the configure

command with the --with-ldap argument like so.

%> ./configure --with-ldap

This will enable the linking against the required ldap.h and 

-lldap libraries.

In addition to enabling this feature a simple configuration is

required within the krb5.conf appdefaults section. An example

is listed here:

[appdefaults]

pam = {

        ticket_lifetime = 1d

        renew_lifetime = 1d

        forwardable = true

        proxiable = false

        retain_after_close = false

        minimum_uid = 2

        try_first_pass = true

        ignore_root = true

        schema = ad # ad | ldap to meet your requirements

        ldapservs = ad.domain.com ldap.domain.com

        ldapport = 389

        binddn = uid=read-only-user,ou=Users,dc=ldap,dc=domain,dc=com

        basedn = ou=campus,dc=ad,dc=domain,dc=com

        ldapuser = [readonly-username]

        ldappass = [readonly-password]

        

        passwd = /etc/passwd

        shadow = /etc/shadow

	# If you wish to add the user to groups

	# a comma separted list should be used

	group = /etc/group

	groups = audio,cdrom,cdrw,usb,plugdev,video,games

        # If you define these they will

        # over write anything obtained from

        # ldap/active directory

        #homedir = /home

        #defshell = /bin/bash

}

You will also need to configure pam to utilize

the krb5+ldap authentication. An example of the

/etc/pam.d/system-auth file is listed here.

auth   	    required   	    pam_env.so 

auth        sufficient	    pam_krb5.so

auth	    sufficient	    pam_unix.so try_first_pass likeauth nullok 

auth	    required        pam_deny.so

account	    required	    pam_unix.so 

 

password    required	    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 

password    sufficient	    pam_krb5.so

password    sufficient	    pam_unix.so try_first_pass use_authtok nullok sha512 shadow 

password    required	    pam_deny.so

session	    required	    pam_limits.so 

session	    required	    pam_env.so 

session     optional	    pam_krb5.so

session	    required	    pam_unix.so 

session	    required	    pam_mkhomedir.so silent skel=/etc/skel umask=0022

session	    optional	    pam_permit.so

Please report any bugs to [email protected].