At 11:56 AM 9/30/2004, Michael Chang wrote:
...so you basically want all authentication to happen against an LDAP server, but you also want to be granular with respect to who can access certain httpd services and who can access other services such as ssh or login.
Not quite. I want httpd to authenticate to LDAP, fully. For everything else I want authentication to happen locally - except that I would like to accept LDAP passwords for users that are in the local /etc/passwd file.
Where I worked over the summer, we had the same need. pam_ldap is able to restrict access based upon the service that is being requested; however, it requires an extra objectclass and attribute(s) for each user. The additional objectclass is named 'authorizedServiceObject', and the attribute (multi-valued) is 'authorizedService'.
See the following URL for more details: http://www.netsys.com/pamldap/2003/05/msg00034.html
You may or may not have problems, depending upon the LDAP server you're using. Our setup was RHELAS3 with Sun One DS, and it worked like a charm with the default OpenLDAP and PADL libraries shipped with RHEL. I'm not sure about ES2.1 -- you may have to grab the latest versions of those libs.
Upgrading to RHEL3 (ES anyway) would not be a problem. However, making a change like the above to our LDAP data would be a substantial problem as that data is populated from Oracle through a mechanism that I only have tenuous access to. Putting in system specific changes to the base Oracle data I think would be a nonstarter.
I believe that if I switch to mod_auth_ldap then I can request httpd to authenticate completely to LDAP. I can also leave my nsswitch.conf set to:
passwd: files shadow: files ldap group: files ldap
so PAM/LDAP will pick up the LDAP password but NOT make /etc/passwd entries available for users defined in LDAP but not in the /etc/passwd file.
That is what I would like to achieve. If I can do that with local configuration
changes to PAM (nsswitch.conf, ldap.conf) that would be great, but sadly
it would be a big change to start making system specific changes to our
LDAP data as it comes from Oracle.
Thanks for taking time to respond Michael! I'd really like to do this authentication through PAM if possible and avoid a bunch of issues with problems using mod_auth_ldap. Any other thoughts are most welcome.
--Jed http://www.webstart.com/jed/
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
