Authentication client via Kerberos (Heimdal) and LDAP backend
Dennis GuseTo use the provided authenfication mechanism from g00se.org on g00se.org :D. I installed libpam-heimdal and configured nss.
Kerberos configuration: /etc/krb5.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[libdefaults]
default_realm = G00SE.ORG
default_keytab_name = /etc/krb5.keytab
ticket_lifetime = 28800
default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes_des = des3-hmac-sha1
des-cbc-crc des-cbc-md5
[realms]
G00SE.ORG = { kdc = g00se.org admin_server = g00se.org }
[domain_realm]
g00se.org = G00SE.ORG
.g00se.org = G00SE.ORG
The pam configuration to use the heimdal KDC: /etc/pam.d/kerberos
1
2
#@include common-auth
#@include common-account auth required pam_krb5.so account required pam_krb5.so
Configuration of the nss-ldap plugin: /etc/libnss-ldap.conf
1
2
3
4
5
6
7
8
9
10
uri ldaps://g00se.org/
ldap_version 3
base dc=g00se,dc=org
scope sub
pam_filter objectclass=account
pam_login_attribute uid
pam_min_uid 1000
pam_max_uid 2000
nss_base_passwd ou=People,dc=g00se,dc=org?one
nss_base_group ou=group,dc=g00se,dc=org?one
Let nss know that there is a second source which provide authorisation data. cat /etc/nsswitch.conf
1
2
passwd: compat *ldap*
group: compat *ldap*
That’s all! As root you can now check if everything runs: getent passwd and you will see all your local accounts and the provided central ones! I hope everything is cool!!!