So, I know the answer is probably "use the PAM primary factor", but....
Currently, our authoritative authentication source is kerberos. We're
looking at making our IDM the authoritative source (and it would push
password changes out to krb, AD, etc).
We could point cosign at the IDM LDAP interface, but then we loose ability
to send kerberos tickets to cosign filters.
We could use the primary PAM factor to try kerberos first, then fall
through to LDAP.. but again we loose the ability to send kerberos tickets.
What I'd kind of like is the ability to fall through the kerberos primary
factor to the PAM factor. It would also be ok if we could figure out how
to give kerberos authenticated PAM factor sessions access to kerberos
tickets.
Any suggestions?
Liam
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
