Re: Need help in nslcd setup for kerberoes+ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Need help in nslcd setup for kerberoes+ldap
- From: Bill MacAllister <whm [at] dropbox.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Need help in nslcd setup for kerberoes+ldap
- Date: Wed, 28 Nov 2018 13:01:37 -0800
On 11/28/18 7:06 AM, Raviteja Bailapudi wrote:
Hi
I have working a setup of (LDAPSEARCH+GSSAPI) and was able to
successfully get the ldap user details using the ldapseach after
getting the tokens using Kinit.
Now, i am trying to replicate the similar client setup using pam_krb5
and nslcd.Can you please help by providing a sample configuration for
nslcd(which uses GSSAPI and krb5_ccname) ?
krb5_ccname needs to point to a valid Kerberos ticket cache. Here are
the relevant authorization bits from our nslcd.conf:
sasl_mech GSSAPI
krb5_ccname FILE:/var/run/host.tgt
We use a systemd unit file like the following to maintain that ticket cache.
[Unit]
Description=Maintain Localhost Kerberos Ticket Cache
[Service]
ExecStart=/usr/bin/k5start -L -K 6 -l 10h -f /etc/krb5.keytab \
-k /run/localhost.tgt host/somehost.com
[Install]
WantedBy=multi-user.target
Basically it just makes sure that k5start is running.
Do still we require bind_dn and bind_passwd for nslcd(while using
GSSAPI method for authentication) ?
No, a valid keytab file is sufficient.
And how would i generate the content for krb5_ccname?
See above.
Bill
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
