Re: ldap authentication

[jason.calvert@xxxxxxxxxx]

the pam_unix.so iterates through the entire group list to find out what groups
you are in.  You need this in you /etc/nsswitch.conf

passwd:     files [UNAVAIL=return] ldap
shadow:     files [UNAVAIL=return] ldap
group:      files [UNAVAIL=return] ldap

also I have hacked my /etc/pam.d/system-auth to look like this:

auth            required        /lib/security/pam_env.so debug
auth            sufficient      /lib/security/pam_unix.so debug
auth            sufficient      /lib/security/pam_krb5.so try_first_pass debug
auth            required        /lib/security/pam_deny.so debug

account         sufficient      /lib/security/pam_localuser.so debug
account         sufficient      /lib/security/pam_ldap.so debug

password        required        /lib/security/pam_cracklib.so retry=3 type=
password        required        /lib/security/pam_krb5.so
password        sufficient      /lib/security/pam_unix.so nullok use_authtok
md5 shadow

password        required        /lib/security/pam_deny.so
#session                required        /lib/security/pam_ldap.so
session         required        /lib/security/pam_limits.so debug
session         required        /lib/security/pam_unix.so debug

you will want to replace pam_krb5.so with pam_ldap.so in the auth section.
Notice the pam_localuser in the account section.
and my /etc/pam.d/login looks like this:

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so



                                                                                                            
                    Igmar                                                                                   
                    Palsenberg             To:     pam-list@redhat.com                                      
                    <maillist@jdime        cc:                                                              
                    dia.nl>                Subject:     Re: ldap authentication                             
                    Sent by:                                                                                
                    pam-list-admin@                                                                         
                    redhat.com                                                                              
                                                                                                            
                                                                                                            
                    09/20/2002                                                                              
                    03:22 AM                                                                                
                    Please respond                                                                          
                    to pam-list                                                                             
                                                                                                            
                                                                                                            






> But that doesn't explain why root is unable to login.

Because the auth fails if it can't contact the LDAP server, it has no
knowledge in advance that root isn't in LDAP.



           Igmar



_______________________________________________

Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list






_______________________________________________

Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list