Hi Thomas,
>>>>> "Thomas" == thomas emde <thomas.emde@scaleon.de> writes:
Thomas> I have stored my user accounts in an LDAP database and for
Thomas> some reason there are still some users in /etc/passwd.
Thomas> Now I would like to let both types of users have access to
Thomas> certain linux boxes via ssh. In my /etc/pam.d/sshd I have
Thomas> the following lines:
Thomas> auth sufficient /lib/security/pam_ldap.so
Thomas> auth required /lib/security/pam_unix.so # set_secrpc
Thomas> auth required /lib/security/pam_nologin.so
Thomas> auth required /lib/security/pam_env.so
Thomas> auth required /lib/security/pam_mail.so
Thomas> account sufficient /lib/security/pam_ldap.so
Thomas> account required /lib/security/pam_unix.so
Thomas> [...]
Thomas> This way it works fine, but additionally I would like to
Thomas> restrict the access of users only to certain hosts using
Thomas> the "host" attribute in ldap where the accessible hosts
Thomas> are listed. But with the above configuration this won't
Thomas> work, the user can access any host, even if not listed in
Thomas> the ldap database (yes I use "pam_check_host_attr=yes" in
Thomas> my ldap configuration). If I change the "auth sufficient
Thomas> /lib/security/pam_ldap.so" into "auth required...", the
Thomas> host attribute is checked but now the "/etc/passwd"-users
Thomas> cannot login at all.
Thomas> Any ideas or hints are greatly appreciated...
Strange, isn't it? I posted a long message about this a couple of
weeks ago. It is archived at:
https://listman.redhat.com/mailman/private/pam-list/2002-April/005722.html
I'd be interested in hearing your opinion of my message and Sam's
replies.
By the way, I think you probably want the miscellaneous auth modules
(pam_nologin, pam_env, pam_mail) to be listed before any sufficient
modules (such as pam_ldap).
peace & happiness,
martin
