First, I am new to linux and ldap auth for a system, so with that in mind.... We have rhel4 set up to do ldap authentication. Had to do some tricky things to get it to auto create directories when we ftp in. They were: /etc/init.d/vsftpd.conf - add 'session_support=YES' /etc/pam.d/vsftpd: auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth /etc/pam.d/system-auth: # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so #session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0066 session required /lib/security/$ISA/pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0066 /etc/pam.d/sshd: auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so Also had to start the oddjob service and do work with dbus. That is what was needed to get the directory and profile created for a user if the ftp in vs. ssh in. In /etc/nsswitch.conf I have: passwd: files ldap shadow: files ldap group: files ldap Now, here are three problems that I have: 1) if the ldap server in ldap.conf is not up, then no one can login, even someone with a local id in the /etc/passwd file. I thought nsswitch.conf took care of this? 2) I want to be able to bind to more than just one base/binddn/bindpw group. I don't see how that is doable (is that a word) in the ldap.conf file. For that matter, the foursome of host/binddn/bindpw/bindpw would be great also. The reason is that we have some under uid=user,dc=group1,dc=gpc,dc=edu and others under uid=user,dc=group2,dc=gpc,dc=edu and others under uid=user,dc=group3, dc=gpc,dc=edu. With what I see in ldap.conf, I can mention multiple hosts, but nothing about multiple bases or multiple binds/bindpw. 3) authorizedService - is it tunable on a per system bases? If I want them to be able to ssh into system A, but not system B. Ftp into system B, but not system A, then ssh and ftp into system C. I do not see it in the schema for openldap-2.3.33, where would I get 'authorizedServiceObject' which it is under? Also, exactly what do I put as a value for vfstpd (ftp?), secure shell (ssh?). Would scp and sftp be other values? Thank you for any help! -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
