I'm facing with PAM/LDAP.
I have two interfaces, httpd and system authentication, that I want to have distinct sets of users visible to authenticate to. In my case it happens that the system authentication set is a subset of the httpd set. I have a large set of computer center users (~3k) that I want to be able to be known as users and be able to authenticate to httpd with their LDAP userids and passwords, groups, etc.. I have a much smaller set of Web developers (10s or so) that I want to be able to have shell/system authentication to login to the Web server system, but also with their LDAP passwords.
What it seems to come down to is that to get PAM/LDAP to know about the larger set of center users in the LDAP database I need to include:
passwd: files ldap
in my nsswitch.conf file. Having done so it appears to force my hand on shell/login authentication in that all the LDAP users become visible as if they had an entry in the /etc/passwd file.
I know that if I use mod_auth_ldap for my httpd authentication, I can set things up so that my larger set of users are visible to httpd authentication and then I can specify:
passwd: files
in my nsswitch.conf file and let PAM manage my system authentication to the subset.
I realize that I can also specify a system specific subset of users in LDAP that will allow me to authenticate just that subset with PAM for shell/login authentication. However, what I don't know how to do is to specify such a subset to PAM/LDAP for system authentication while using the much larger set for httpd authentication.
--Jed http://www.nersc.gov/~jed/
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
