PAM/LDAP httpd auth but no system account ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm using mod_auth_pam for httpd/LDAP authentication, including group authentication.

I've found that I need to set:

shadow:    files ldap
group:     files ldap

in my /etc/nsswitch.conf to get this to work (Redhat ES2.1). However, I don't want shell logins on the system to be authenticated through LDAP. That is, while I want to accept LDAP users for httpd authentication, I don't want to accept such users for login to the system (Web authors are a small subset of those who authenticate through httpd).

What I find is that if I leave my nsswitch.conf as:

passwd:    files

then users that are not in my /etc/passwd file can't authenticate through httpd (/etc/pam.d/httpd:
_____________________________
#%PAM-1.0

auth       sufficient  /lib/security/pam_ldap.so
auth       required    /lib/security/pam_deny.so
_____________________________

).  The error I see is:

[Wed Sep 29 18:06:27 2004] [error] (2)No such file or directory: access to /projects/www-test/group-staff/ failed for 128.55.16.133, reason: User not known to the underlying authentication module

Not surprisingly I also see:

Sep 28 16:14:29 rohanb httpd(pam_unix)[20895]: could not identify user (from getpwnam(jed))

in /var/log/messages. If I call getpwnam then I don't see a passwd entry. This is as I expect
and want as I don't want users from LDAP logging into the system. However, I do want to be
able to have users coming in through Apache to authenticate.

If I authenticate a user that is in my /etc/passwd file then the authentication works - with the password stored in the LDAP server.

If I change my nsswitch.conf to include:

passwd:    files ldap

then httpd authentication works through LDAP, but LDAP users also are able to login to my Web server -
which is not what I want.

I wondered if anybody might have any thoughts on how I can get PAM to do what I need. At this point I'm
stuck and considering switching to mod_auth_ldap. I would prefer staying with PAM because of its greater
flexibility, but if I can't get it to do what I need then of course I need to do something else. Perhaps somebody
might be able to point me to a discussion of the binding between PAM and nsswitch? Is this a case
where I'm trying to do something that isn't possible? Ideally I would like to be able to accept LDAP
passwords for users that are in my /etc/passwd file for logins.

--Jed http://www.nersc.gov/~jed/ 

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux