Yu, Thank you for the contribution and help. I have tried changing these settings with no change. I am not sure if my ldap.conf is correct or if I need to link it to another file. currently it sits in this dir /etc/openldap/ldap.conf. I used the krb5.conf file going of the instructions found on the shrubbery.net forums which recommened using krb5 and not ldap for Active Directory integration with tac_plus. Going from a paid application to this solution has had challenges but this is really the last hurdle to cross so I am open to trying any configuration at this point. I will keep try variations of your suggestion and let you know the outcome. Once again thank you for the post and if you have any other suggestions please pass them along. Danny ________________________________________ From: pam-list-bounces@xxxxxxxxxx <pam-list-bounces@xxxxxxxxxx> on behalf of Yu Wang <yuwang@xxxxxxxxxx> Sent: Thursday, March 20, 2014 10:56 AM To: Pluggable Authentication Modules Subject: Re: tac_plus AD integration with PAM Try use pam_ldap for account (authorize) part. You will need to create pam_ldap.conf or ldap.conf, depends on your server OS, to query a user's attribute (uid). Your pam.d/tac_plus account part would look like: account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so <------ account required pam_permit.so On Thu, 20 Mar 2014, Donato Rivera wrote: > Greetings, > > > I am attempting to integrate my tac_plus solution with AD using PAM. I have tried numerous iterations I found online with no luck. I am listing my config below, the krb5.conf seems to pass which I will also list. Any assistance is greatly appreciated. > > > AD Credentials Test using kerberos: > > > [root@pam.d]# kinit Dan > Password for Dan@domain: > > [root@pam.d]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Dan@domain > > Valid starting Expires Service principal > 03/20/14 10:00:50 03/20/14 20:00:56 krbtgt/domain > renew until 03/27/14 10:00:50 > > > Configuration: > > > /etc/tac_plus.conf > > key = "TestKey" > accounting file = /var/log/tac.acct.log > # authentication users not appearing elsewhere via > # the file /etc/passwd > #default authentication = file /etc/passwd > > > # A group that can change some limited configuration on switchports > # related to host-side network configuration > > group = Admin { > # login = file /etc/passwd > # or authenticated via PAM: > # login = PAM > service = exec { > priv-lvl = 15 > } > } > > user = dan { > login = PAM > member = Admin > } > > > /etc/pam.d/tac_plus > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_krb5.so > > > /etc/krb5.conf > > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = domain_name > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > domain_name = { > kdc = x.x.x.x > admin_server = x.x.x.x > } > > [domain_realm] > domain_name = domain_name > > > Thanks, > > Danny > -- --Yu Wang **************************************************** Computer & Network System Administrator **************************************************** _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list