[KLUG Members] Kerberos
Adam Tauno Williams
awilliam at whitemice.org
Wed Sep 21 09:01:01 EDT 2005
>>>>> I'm trying to set up Kerberos Authentication for Apache2 on SLES9.
>>>>> I've been unable to find rpm's or successfully compile an auth
>>>>> mod for Apache2.
>>>>> I decided to use pam_auth_mod and configure pam to use kerberos.
>>>>> The problem I'm running into is this.
>>>>> When I log in to the system either using pam or via apache the
>>>>> request never gets sent to the Kerberos server unless there is an
>>>>> existing local account in passwd. Then even if there is a local
>>>>> account kerberos auth still fails.
>>>> What are you using for NSS?
>> Kerberos is an authorization/authentication system; it is not a name
>> service. It must be used in conjunction with a name service - so you
>> can setup LDAP or <trembles/> NIS.
> I don't have the option for either. This is a college that's part of
> a larger university.
> The university runs a kerberos server with all the faculty and
> students. Over 100,000 users.
> They don't offer LDAP or NIS. Only Kerberos.
Really? I'd double check as it is VERY VERY hard to imagine a network of
100,000 users without an operational name service (I mean - how would anything
work? Perhaps they use Active Dirctory? An NT domain? Both of these provide
a name service.)
> What I'm really looking for is web auth. I only started looking at
> pam because SLES9 doesn't come with mod_kerb and I couldn't find a
> suitable RPM for it. Meaning one that works.
Ah, without a name service I think you are out of luck as far as PAM
goes - at
least without using some spooky incantations that are going to make
your system
impossible to maintain. You should be able to make mod_kerb work, but
probably
not anything PAM related.
Aside: I'm not sure how PAM auth works via Apache, but if you can
specify a PAM
service name and make a separate PAM stack with only an authenticate
line and no
session or account entries.... MAYBE that would work?
--
Adam Tauno Williams - http://www.whitemice.org
More information about the Members
mailing list