pam_unix, pam_ldap, and nss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



i've been experimenting with ldap authentication combined with traditional unix authentication, and have what appears to be a working configuration - but, in the process, it's raised some questions.  my testing has been only with sshd for the moment.  at the bottom of the message is my current sshd pam config.  i've included the various common-* includes in the file as though they were part of it.

i'm specifically wondering about the account section.  using the more basic configuration:

account	[success=1 new_authtok_reqd=done default=ignore]
account	[success=1 default=ignore] minimum_uid=1000 debug
account	requisite
account	required

ldap users were allowed in when i wasn't expecting them to be.  i'm using openldap w/ the nssov overlay and the nss-pam-ldapd stub libraries.  isolating just the unix module or just the ldap module resulted in each type working as desired independently, but adding in the unix module circumvented the ldap group membership requirements.  since this system is also using ldap for nss - getent passwd, group, and shadow all expose ldap data, my sense was that this was the reason behind this behavior (although i don't quite understand specifically why).

my approach was to use localuser to identify if the user was local or in ldap, and then if found in ldap, apply the ldap module first, followed by the unix module only on success.  it seems to work, but feels a bit convoluted.  is this sane?  how is this typically handled, when nss uses both local files and ldap, and the pam uses both local and ldap modules with account restrictions coming from the ldap module?  i also wanted to keep the unix module first in the stack, to minimize delays if the ldap server was not reachable.

in the past i'd have used only localusers and not unix, which would simplify the account stack, but i've been cautioned previously on the list that doing so would result in things like password expiry not being honored, etc.

i'd greatly appreciate any criticism, etc. offered on my approach to solving the above, and on the below config in general.


# sshd pam config
auth		required
auth		required envfile=/etc/default/locale

@include common-auth
### common-auth ###
auth		[success=2 default=ignore] nullok_secure
auth		[success=1 default=ignore] use_first_pass minimum_uid=1000 debug
auth		requisite
auth		required
### end common-auth ###

account		required

@include common-account
### common-account ###
# send directly to unix module if a local user, send to ldap module first if not
account		[success=1 default=ignore]
account		[success=ok default=1] minimum_uid=1000 debug
account		[success=1 new_authtok_reqd=done default=ignore]
account		requisite
account		required
### end common-account ###

@include common-session
### common-session ###
session		required
session		optional minimum_uid=1000 no_warn debug
session		optional
### end common-session ###

session		optional # [1]
session		optional standard noenv
session		required

@include common-password
### common-password ###
password	requisite min=disabled,24,11,7,7
password	[success=2 default=ignore] use_authtok try_first_pass sha512 obscure
password	[success=1 default=ignore] use_authtok try_first_pass minimum_uid=1000 debug
password	requisite
password	required
### end common-password ###

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux