Hi,
I currently have my PAM configuration file for su set to use
pam_wheel, followed by pam_ldap as follows:
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_wheel.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
However, the effect is not quite the desired one. pam_wheel only
consults the local /etc/group file to find users who are allowed to
su, whereas I would like an LDAP server to be queried instead.
This would greatly ease administration, since we could just add or
remove a user from the wheel group in LDAP and instantly either
empower or emasculate said user across all of our systems.
We could then also configure other applications to allow only certain
users to use them, by having pam_wheel query over LDAP for membership
of other groups than just wheel. This would be an extremely powerful
feature.
So, is there any way of getting pam_wheel to go over LDAP for its
look-ups?
Ian
--
Ian Macdonald | There is no sadder sight than a young
Senior System Administrator | pessimist.
Linuxcare, Inc. |
Support for the Revolution |
|
