it it helps, here is how we do it with our Redhat/Fedora based network:
in our ldap.conf we have:
host ldap1.example.com ldap2example.com
base ou=People,dc=example,dc=com
pam_check_host_attr yes
ssl start_tls
pam_password md5
then, allowed people have this in their entries on the ldap server (ldif
export):
dn: uid=auser, ou=People, dc=example, dc=com
uid: auser
sn: User
cn: Any User
mail: auser@xxxxxxxxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
ou: People
userPassword: {crypt}$1$salt$cryptpassword
gidNumber: 501
homeDirectory: /home/auser
uidNumber: 501
host: host1.example.com
host: host2.example.com
givenName: Any
loginShell: /bin/bash
gecos: Any User
(as you can see, I've changed names and deleted unimportant attributes)
Our /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
session optional /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
(notice that last line (pam_mkhomedir) - it allows account home
directories to be automatically created it the user is allow to login.)
I believe the last important piece to check is in /etc/nsswitch.conf:
...
passwd: files ldap
shadow: files ldap
group: files ldap
...
Hope this helps...
On Wed, 2003-12-17 at 10:16, Sergey wrote:
> Ð? СÑ?д, 17.12.2003, в 20:04, Chris Jackson пиÑ?еÑ?:
> > Do you have a "host" attribute set in ldap with the host name you are
> > logging into? You will need a wild card (host = "*") if you want to
> > allow your self access to all hosts where this is set.
> yes, I have only host=apex.csu.ac.ru, but I can login to
> reindeer.csu.ac.ru. (I get warm, message about homedir and shell.)
> It's a good idea with host="*" for all hosts, I didn't know it, but at
> this time I want to denie access for host (jast for test :-), and to
> denie access for other users)
> >
> > On Wed, 2003-12-17 at 09:47, Sergey wrote:
> > > Hi All!
> > > How does it work? I added "pam_check_host_attr yes" at /etc/ldap.conf.
> > > When I login to host, I get
> > > Access denied for this host
> > > Could not chdir to home directory /home/srg: No such file or directory
> > > -bash-2.05b$
> > > So, I have a shell :-(
> > > How can I fix it?
> > >
> > > P.S.
> > > May be /etc/ldap.conf and /etc/libnss-ldap.conf symlinks to
> > > /etc/ldap/ldap.conf at Debian box (/etc/ldap.conf link to
> > > /etc/openldap/openldap.conf at RedHat box)? I Didn't notice there big
> > > differences..
> >
> >
> > _______________________________________________
> >
> > Pam-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
