[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users
Russ Allbery
rra at debian.org
Mon Aug 10 23:24:12 UTC 2009
Philipp Kaluza <pk+debs at yomu.de> writes:
> Depending on your exact Kerberos configuration, if your kerberos
> passwords are stored in the LDAP server anyhow, you might want to
> consider pam_ldap for password updates. If you do, make sure TLS or
> SSL works correctly between the user-facing hosts and the LDAP server.
I feel obligated to say that I would be extremely uncomfortable running
this configuration as opposed to using the Kerberos password change
protocol. I don't believe there is any advantage to doing it this way and
quite a few disadvantages around making sure that this mechanism is and
stays sufficiently secure.
If you're using Kerberos plus LDAP for nsswitch information, you shouldn't
need to install or use an LDAP PAM module. You should also never do
authentication via LDAP if you can avoid it; it destroys some of the
security advantages that Kerberos offers.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
--
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list