Greetings fellow Slackers,
Is anyone running krb5 + ldap + sasl + nss on Slackware?
I don't believe that it is mandatory to integrate with PAM - just that it makes it easier to implement.
I'd appreciate your thoughts on this.
Thanks.

Unfortunately, it is mandatory, despite the odd misinformed rumour. No PAM in Slackware is a PITA for me.

Depends on why you need LDAP. If its active directory you want to integrate with than up to Slackware 14.1 (never tried on current) you can mostly integrate a Slackware machine as a domain member server, Samba does all the LDAP work.

Basic steps.

1) install the MIT kerberos package. Its on slackbuilds.
1a) make certain openldap is installed
2) rebuild Samba using the original slackbuild script
2a) rebuild sshd with kerberos support
3) configure samba rid/sid mapping and join the domain.
4) modify /etc/inittab to pass the -l argument to agetty, use login.krb binary as the logon program
5) modify /etc/rc.d/rc.samba to start/stop windbindd as well ans smbd and nmbd
6) update /etc/nsswhich.conf to use files and than windbind (for passwd and group)
7) test windbind, test getent
8) reboot

This configuration has some limitations. You will be able login at the console or with ssh using domain credentials, you can use windows groups and users for file ownerships etc. Other packages like proftp / apache / imapd etc will see group memberships and be able to get a listing of users but will NOT be able to authenticate a user; they have no way to obtain the password hashes.

Its usually possible to work around these things, for instance I used to need to host FTP in such an environment. You can setup radius on windows, proftp can authenticate with radius and then at the FS level the windows users and groups just work(tm).

I actually requested Pat add radius support to his proftpd build once upon a time for this reason and he was gracious enough to do so!

One thing I am sure that derailed kikinovak, that I never solved was an X greeter. If you intend to use X you will have to login at run level three and do startx. Way back on like Slackware 10.2, I had some patches for XDM that I did myself but they quick applying along time ago.


So it really depends on what your needs are exactly; it can mostly work but you will run across the odd thing from time to time that is unable to authenticate.

*edit

Just to make one more comment. PAM is actually a very useful abstraction of solving this problem. This method touches few Slackware packages than going down the path of rebuilding stuff all up and down the tree to support PAM, which means you apply most patches and upgrade more easily when the time comes. However It is kuldgy as hell.

Thanks for the feedback.

I'm not trying to integrate with AD. Our environment, fortunately, (depending on how you look at it, is not host to any windows machines. I use startx and blackbox on my own machine cause I tend to work in shell sessions, for the most part. I wanted to set up a test environment so I can work out a few details.

Cheers, all