Nicolas,
This email is to address the remaining KRB mapper question and the
pam_pkcs11.conf
configuration issue. Please see below for my response.
Huie-Ying Lee wrote:
> Nicolas Williams wrote:
>
>> The 'krb' mapper should specify a realm name, no? Or is it formatting a
>> principal name of the form <PAM_USER>@<default-realm> and then comparing
>> it to the krb5 princname subjectAltName?
>>
>
> I havn't tested this part yet. Will get back to you when I have more info.
>
The answer to the first question is "no". The "krb" mapper does not need to
specify a realm name.
The answer to the 2nd question is "yes". To use the KRB mapper, a certificate
should contain a subjectAltName with the <user>@<realm> format for
oid = {1 3 6 1 5 2 2}.
>> The pam_pkcs11.conf manpage in the materials refers to
>> /usr/lib/opensc-pkcs11.so and so on as well... This should be cleaned
>> up.
>>
>
> OK, will clean it up.
>
I think you meant the pam_pkcs11.conf configuration file, not the
pam_pkcs11.sunman
man page. Right ?
I have updated the pam_pkc11.conf configuration file and requested
Darren to put it into the materials directory yesterday.
>
>>> (Note: will support both 32bit and 64 bit versions.)
>>>
>>> [...]
>>>
>>> Sample Mapfiles and script:
>>>
>>> /etc/security/pam_pkcs11/digest_mapping.example
>>> /etc/security/pam_pkcs11/subject_mapping.example
>>> /etc/security/pam_pkcs11/mail_mapping.example
>>> /etc/security/pam_pkcs11/make_hash_link.sh
>>
>> The above are not in the materials.
>>
>
> Right. Will fix this.
>
> I have requested Darren to put them to the materials directory, as
> I don't have write permission.
>
The above 4 missing pieces are now in the materials directory
already. Thanks to Darren.
Huie-Ying
