[30725] in Kerberos
Re: kdm cannot access to openldap database
daemon@ATHENA.MIT.EDU (cloc3)
Sat Feb 14 22:40:00 2009
From: cloc3 <ziapannocchia@gmail.com>
Date: Fri, 13 Feb 2009 18:25:23 -0800 (PST)
Message-ID: <c6c021b1-8675-4056-a1bb-0feabbc23f72@f3g2000yqf.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Feb 13, 10:16 pm, Luke Scharf <luke.sch...@clusterbee.net> wrote:
>
> Using an x509 host-certificate for host-level authentication?
>
> -Luke
I've done something simpler.
first of alll, I've created a kerberos user for pam services, with a
random key and I've added it to /etc/ldap/ldap.keytab file.
kadmin.local -q "addprinc -randkey pam@EXAMPLE.COM"
kadmin.local -q "ktadd -k /etc/ldap/ldap.keytab"
after, I've added a kinit instruction in /etc/init.d/kdm service
script:
kinit -kt /etc/ldap/ldap.keytab pam@EXAMPLE.COM
at the end, I have a problem for kdm(-3.5): the program needs to
access the loginShell openldap attribute to add the user to the
userlist. But loginShel has often a limited access.
So, I added this to slapd.access:
access to attrs=loginShell
by dn=uid=pam,cn=paschini.edu,cn=gssapi,cn=auth read
by dn="cn=admin,dc=paschini,dc=edu" write
by anonymous auth
by self write
by * none
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
