question about user authentication and authorization in nss-ldapd -> nslcd -> slapd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
question about user authentication and authorization in nss-ldapd -> nslcd -> slapd
- From: Liu Yubao <yubao.liu [at] gmail.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: question about user authentication and authorization in nss-ldapd -> nslcd -> slapd
- Date: Fri, 16 Dec 2011 18:46:49 +0800
Hi all,
Recently I'm playing nss-ldapd + nslcd + slapd + kerberos to implement SSO,
I'm confused about the authentication and authorization parts.
(1) user process calls nslcd by nss-ldapd library, nslcd knows uid and gid from
the UNIX domain socket;
(I guess there is no GSSAPI authentication between user process and nslcd)
(2) nslcd authenticates to slapd by GSSAPI, nslcd thinks the client is nslcd's
Kerberos principal, such as "host/HOSTNAME@REALM".
My questions:
a. slapd can't authenticate users directly by GSSAPI, so slapd can't
limit authorization
based on users' Kerberos principal names, right?
/etc/nslcd.conf can specify authzid
for nslcd, but that's fixed, can't change according to requesting user.
b. I heard there is a rebind on nslcd to slapd, I setup userA on
kerberos and slapd
(uid=userA,ou=People,dc=example,dc=com) , then I run "kinit" as userA, then
"getent passwd", but I don't see nslcd tries to rebind as userA. why?
c. the uid and gid is provided by nslcd to slapd, how can slapd to
avoid malicious nslcd
to provide "uid=0,gid=0" to slapd for a normal user?
d. I only installed nss-ldapd + nslcd, not pam-ldapd because I already
have pam-krb5,
I find "chsh" complains the user isn't in /etc/passwd, seems it
doesn't look into slapd,
how can I make chsh LDAP-aware?
Regards,
Yubao Liu
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
- question about user authentication and authorization in nss-ldapd -> nslcd -> slapd,
Liu Yubao
