Re: ssh, pam, and ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 27 Jan 2009, Jesse C. Waters wrote:

Richard Ray wrote:
I have configured pam to authenticate ssh via ldap
No problems with that
How can I configure pam/ssh to use ldap for certain accounts only and unix password for other accounts

Running CentOS 5.2

Thanks
Richard Ray


that is controlled with your /etc/nsswitch.conf

passwd files ldap
group files ldap

check if user exists in /etc/passwd 1st, then ldap

so if you have a local account joe and an ldap account joe, it should use local account 1st. if you flip it around passwd ldap files then vs.

to restrict certain ldap groups to logging in you need add "pam_groupdn" to your ldap.conf file.

All these relate to pam & ldap configurations, I am not a pam expert. Test your configs, make sure you didn't allow anyone into your system as root without a passwd. (did that once, glad it was a vm).

I am no pam expert but this is what I came up with
Create a local group ldap_users
Add users to ldap_users that will authenticate via ldap
This is my /etc/pam.d/sshd

auth       required     pam_nologin.so
auth       required     pam_localuser.so
auth       required      pam_env.so
auth       sufficient    pam_unix.so try_first_pass nullok
auth       required pam_succeed_if.so debug user ingroup ldap_users
auth       sufficient    /lib/security/pam_ldap.so
auth       required      pam_deny.so
account    required     pam_nologin.so
account    sufficient   /lib/security/pam_ldap.so
account    include      system-auth
password   sufficient   /lib/security/pam_ldap.so
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth

It works for me
I would appreciate a bit of scrutiny

Richard



HTH,

Jesse Waters





[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux