kerberos + OpenLDAP + NSS + CyrusSASL; no PAM on slackware?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
kerberos + OpenLDAP + NSS + CyrusSASL; no PAM on slackware?
Greetings fellow Slackers,
Is anyone running krb5 + ldap + sasl + nss on Slackware?
I don't believe that it is mandatory to integrate with PAM - just that it makes it easier to implement.
I'd appreciate your thoughts on this.
Thanks.
Depends on why you need LDAP. If its active directory you want to integrate with than up to Slackware 14.1 (never tried on current) you can mostly integrate a Slackware machine as a domain member server, Samba does all the LDAP work.
Basic steps.
1) install the MIT kerberos package. Its on slackbuilds.
1a) make certain openldap is installed
2) rebuild Samba using the original slackbuild script
2a) rebuild sshd with kerberos support
3) configure samba rid/sid mapping and join the domain.
4) modify /etc/inittab to pass the -l argument to agetty, use login.krb binary as the logon program
5) modify /etc/rc.d/rc.samba to start/stop windbindd as well ans smbd and nmbd
6) update /etc/nsswhich.conf to use files and than windbind (for passwd and group)
7) test windbind, test getent
8) reboot
This configuration has some limitations. You will be able login at the console or with ssh using domain credentials, you can use windows groups and users for file ownerships etc. Other packages like proftp / apache / imapd etc will see group memberships and be able to get a listing of users but will NOT be able to authenticate a user; they have no way to obtain the password hashes.
Its usually possible to work around these things, for instance I used to need to host FTP in such an environment. You can setup radius on windows, proftp can authenticate with radius and then at the FS level the windows users and groups just work(tm).
I actually requested Pat add radius support to his proftpd build once upon a time for this reason and he was gracious enough to do so!
One thing I am sure that derailed kikinovak, that I never solved was an X greeter. If you intend to use X you will have to login at run level three and do startx. Way back on like Slackware 10.2, I had some patches for XDM that I did myself but they quick applying along time ago.
So it really depends on what your needs are exactly; it can mostly work but you will run across the odd thing from time to time that is unable to authenticate.
*edit
Just to make one more comment. PAM is actually a very useful abstraction of solving this problem. This method touches few Slackware packages than going down the path of rebuilding stuff all up and down the tree to support PAM, which means you apply most patches and upgrade more easily when the time comes. However It is kuldgy as hell.
I'm not trying to integrate with AD. Our environment, fortunately, (depending on how you look at it, is not host to any windows machines. I use startx and blackbox on my own machine cause I tend to work in shell sessions, for the most part. I wanted to set up a test environment so I can work out a few details.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.