Ð ÐÑÐ, 18.12.2003, Ð 01:56, Chris Jackson ÐÐÑÐÑ:
> it it helps, here is how we do it with our Redhat/Fedora based network:
> in our ldap.conf we have:
>
> host ldap1.example.com ldap2example.com
> base ou=People,dc=example,dc=com
> pam_check_host_attr yes
> ssl start_tls
> pam_password md5
>
> then, allowed people have this in their entries on the ldap server (ldif
> export):
>
> dn: uid=auser, ou=People, dc=example, dc=com
> uid: auser
> sn: User
> cn: Any User
> mail: auser@xxxxxxxxxxx
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: account
> ou: People
> userPassword: {crypt}$1$salt$cryptpassword
> gidNumber: 501
> homeDirectory: /home/auser
> uidNumber: 501
> host: host1.example.com
> host: host2.example.com
> givenName: Any
> loginShell: /bin/bash
> gecos: Any User
>
> (as you can see, I've changed names and deleted unimportant attributes)
I have same config.
>
> Our /etc/pam.d/system-auth:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
> password required /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
> session optional /lib/security/pam_mkhomedir.so skel=/etc/skel
> umask=0022
>
> (notice that last line (pam_mkhomedir) - it allows account home
> directories to be automatically created it the user is allow to login.)
I did it (homedir), but this pam config realy helps me. Thanks..
>
>
> I believe the last important piece to check is in /etc/nsswitch.conf:
> ...
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> ...
It is at every HOWTO :-)
>
> Hope this helps...
>
Yes, it helps me. Thank you!
>
> _______________________________________________
>
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list
--
Sorry me for my poor English...
---------------------------------------------------------
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc
Best Regards mailto:srg@xxxxxxxxx
Mokeev Sergey ICQ UIN:168860082
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
