493: Undecipherable

-Blog-

-Projects-

-Urlaub-

-About me-

-RSS-

Authentication client via Kerberos (Heimdal) and LDAP backend

Dennis Guse

To use the provided authenfication mechanism from g00se.org on g00se.org :D. I installed libpam-heimdal and configured nss.

Kerberos configuration: /etc/krb5.conf

 1  [libdefaults]
 2  default_realm = G00SE.ORG
 3  default_keytab_name = /etc/krb5.keytab
 4  ticket_lifetime = 28800
 5  default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 6  default_etypes_des = des3-hmac-sha1
 7  des-cbc-crc des-cbc-md5
 8  
 9  [realms]
10  G00SE.ORG = { kdc = g00se.org admin_server = g00se.org }
11  
12  [domain_realm]
13  g00se.org = G00SE.ORG
14  .g00se.org = G00SE.ORG

The pam configuration to use the heimdal KDC: /etc/pam.d/kerberos

1  #@include common-auth
2  #@include common-account auth required pam_krb5.so account required pam_krb5.so

Configuration of the nss-ldap plugin: /etc/libnss-ldap.conf

 1  uri ldaps://g00se.org/
 2  ldap_version 3
 3  base dc=g00se,dc=org
 4  scope sub
 5  pam_filter objectclass=account
 6  pam_login_attribute uid 
 7  pam_min_uid 1000
 8  pam_max_uid 2000
 9  nss_base_passwd ou=People,dc=g00se,dc=org?one
10  nss_base_group ou=group,dc=g00se,dc=org?one

Let nss know that there is a second source which provide authorisation data. cat /etc/nsswitch.conf

1  passwd: compat *ldap*
2  group: compat *ldap*

That's all! As root you can now check if everything runs: getent passwd and you will see all your local accounts and the provided central ones! I hope everything is cool!!!