How do I enable both kerberos and LDAP authentication for cmgui?
For Red Hat-based system such as RHEL, CentOS or Scientific Linux:
Configure The Head Node
Configure your head node as a Kerberos client by installing the client packages and providing a valid krb5.conf configuration file:
- If kerberos.krb.srv is the Kerberos server, then execute the following commands on the head node:
# yum install krb5-libs krb5-workstation
# scp kerberos.krb.srv:/etc/krb5.conf /etc/krb5.conf
Enable Kerberos and LDAP Authentication
Rather than modifying files manually, it is easier and less error-prone to use the Red Hat authconfig-tui tool as discussed in the following Knowledge Base article (but make sure that Use LDAP Authentication is also checked):
To allow authentication to go through both Kerberos and Bright LDAP, the /etc/pam.d/system-auth-ac should be modified as follows:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_krb5.so
auth sufficient pam_ldap.so
auth required pam_deny.so
Verify Kerberos Authentication Operation
It is important to verify that the authentication is working properly. To verify the authentication operation follow these steps:
1. add kerbtest principal in Kerberos server:
kadmin: addprinc kerbtest
2. add user kerbtest to Bright LDAP using cmsh with password “ldaptest”
% user add user kertest
% set password ldaptest
3. attempt to login to CMGUI using kerbtest:
The configuration will allow authentication to go through both Kerberos and Bright LDAP. Thus, when attempting to login to cmgui, you’ll be asked for
(i) the Kerberos password first (with a maximum of two trials)
(ii) then for the Bright LDAP password (with one trial).
The user will be authenticated successfully if the two passwords match.
This is a two-level rather than two-factor authentication because end-to-end authentication channels for both types of authentication (Kerberos and LDAP) are not separate.