Categories

ID #1125

How do I enable multi-level kerberos and LDAP authentication in cmgui?

 

How do I enable both kerberos and LDAP authentication for cmgui?

For Red Hat-based system such as RHEL, CentOS or Scientific Linux:

 

Configure The Head Node

  • Configure your head node as a Kerberos client by installing the client packages and providing a valid krb5.conf configuration file:

 

  • If kerberos.krb.srv is the Kerberos server, then execute the following commands on the head node:

 

 

# yum install krb5-libs krb5-workstation

# scp kerberos.krb.srv:/etc/krb5.conf /etc/krb5.conf

 

Enable Kerberos and LDAP Authentication

 

Rather than modifying files manually, it is easier and less error-prone to use the Red Hat authconfig-tui tool as discussed in the following Knowledge Base article (but make sure that Use LDAP Authentication is also checked):

 

/faq/index.php?action=artikel&id=8

 

To allow authentication to go through both Kerberos and Bright LDAP, the /etc/pam.d/system-auth-ac should be modified as follows:

 

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_krb5.so

auth        sufficient    pam_ldap.so

auth        required      pam_deny.so

 

 

 

Verify Kerberos Authentication Operation

It is important to verify that the authentication is working properly. To verify the authentication operation follow these steps:

 

1. add kerbtest principal in Kerberos server:

# kadmin

kadmin: addprinc kerbtest

 

2. add user kerbtest to Bright LDAP using cmsh with password “ldaptest

# cmsh

% user add user kertest

% set password ldaptest

% commit

 

3. attempt to login to CMGUI using kerbtest:
The configuration will allow authentication to go through both Kerberos and Bright LDAP. Thus, when attempting to login to cmgui, you’ll be asked for

 

(i) the Kerberos password first (with a maximum of two trials)

(ii) then for the Bright LDAP password (with one trial).

 

The user will be authenticated successfully if the two passwords match.


 

This is a two-level rather than two-factor authentication because end-to-end authentication channels for both types of authentication (Kerberos and LDAP) are not separate.

Tags: -

Related entries:

You cannot comment on this entry