login with ldap and sasl/gssapi
skb
skb_bhat at excite.com
Thu Nov 6 21:15:34 PST 2003
Hi,
Can someone please tell me how to configure login on the FreeBSD-5.1-RELEASE box to use ldap authentication (using SASL/GSSAPI), pam_krb5, pam_ldap and nss_ldap modules repectively. I have successfully configured openldap21-2.1.20_1 with heimdal-0.5.1. I can execute ldapsearch, ldapadd etc using SASL/GSSAPI mechanism without any problems at all on the local box. On /usr/local/etc/openldap/slapd.conf I've added the following extra stuff:
require SASL
sasl-realm MYDOMAIN.COM
sasl-host test.mydomain.com
sasl-secprop noplain,noanonymous,minssf=56
sasl-regex
uid=(.*),cn=MYDOMAIN.COM,cn=gssapi,cn=auth
uid=$1,ou=People,dc=mydomain,dc=com
The pam_krb5, nss_ldap, pam_ldap modules are working fine since login is working fine with anonymous LDAP bind. But everything stops when I am disabling anonymous bind.
My /etc/pam.d/login file is as follows:
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
account required pam_krb5.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_securetty.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_ldap.so
password required pam_unix.so no_warn try_first_pass
Any help will be greatly appreciated.
Thanks in advance,
skb
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
More information about the freebsd-net
mailing list