Java Desktop System Configuration Manager Release 1.1 Installation Guide

Data Access/User Authentication

The Configuration Agent retrieves information from the LDAP server based on the login ID of a desktop user. The User/UniqueIdAttribute setting of the organizational mapping file maps the login ID to a user entity in the LDAP server. The Configuration Agent also retrieves information about the host, such as the name or the IP address of the host. This information is mapped to a host entity in the LDAP server through the Host/UniqueIdAttribute setting of the organizational mapping file.

There are two methods to access the LDAP server, namely anonymously or with GSSAPI. For anonymous access, no action is required on the desktop. For the GSSAPI method, Kerberos credentials must be acquired on the desktop. To integrate Kerberos credential acquisition with the user login, the pam_krb5 module must be installed and configured on the Java Desktop System host.

You can use gdm to integrate Kerberos with the user login, for example, by using the following /etc/pam.d/gdm file:

auth   required  nullok #set_secrpc
auth   optional use_first_pass missing_keytab_ok ccache=SAFE putenv_direct
account required 
password required  #strict=false
session required  # trace or none
session required 
session optional 

If you integrate Kerberos with user login in this way, you should enable the screensaver's Kerberos support. For example, by using the following /etc/pam.d/xscreensaver file:

auth required use_first_pass missing_keytab_ok 
ccache=SAFE putenv_direct