ID #1125

How do I enable multi-level kerberos and LDAP authentication in cmgui?


How do I enable both kerberos and LDAP authentication for cmgui?

For Red Hat-based system such as RHEL, CentOS or Scientific Linux:


Configure The Head Node

  • Configure your head node as a Kerberos client by installing the client packages and providing a valid krb5.conf configuration file:


  • If kerberos.krb.srv is the Kerberos server, then execute the following commands on the head node:



# yum install krb5-libs krb5-workstation

# scp kerberos.krb.srv:/etc/krb5.conf /etc/krb5.conf


Enable Kerberos and LDAP Authentication


Rather than modifying files manually, it is easier and less error-prone to use the Red Hat authconfig-tui tool as discussed in the following Knowledge Base article (but make sure that Use LDAP Authentication is also checked):




To allow authentication to go through both Kerberos and Bright LDAP, the /etc/pam.d/system-auth-ac should be modified as follows:


auth        required

auth        sufficient nullok try_first_pass

auth        requisite uid >= 500 quiet

auth        required

auth        sufficient

auth        required




Verify Kerberos Authentication Operation

It is important to verify that the authentication is working properly. To verify the authentication operation follow these steps:


1. add kerbtest principal in Kerberos server:

# kadmin

kadmin: addprinc kerbtest


2. add user kerbtest to Bright LDAP using cmsh with password “ldaptest

# cmsh

% user add user kertest

% set password ldaptest

% commit


3. attempt to login to CMGUI using kerbtest:
The configuration will allow authentication to go through both Kerberos and Bright LDAP. Thus, when attempting to login to cmgui, you’ll be asked for


(i) the Kerberos password first (with a maximum of two trials)

(ii) then for the Bright LDAP password (with one trial).


The user will be authenticated successfully if the two passwords match.


This is a two-level rather than two-factor authentication because end-to-end authentication channels for both types of authentication (Kerberos and LDAP) are not separate.

Tags: -

Related entries:

You cannot comment on this entry