[prev in list] [next in list] [prev in thread] [next in thread]
List: pam-list
Subject: Re: ldap authentication
From: jason.calvert () abbott ! com
Date: 2002-09-23 20:28:47
[Download RAW message or body]
the pam_unix.so iterates through the entire group list to find out what groups
you are in. You need this in you /etc/nsswitch.conf
passwd: files [UNAVAIL=return] ldap
shadow: files [UNAVAIL=return] ldap
group: files [UNAVAIL=return] ldap
also I have hacked my /etc/pam.d/system-auth to look like this:
auth required /lib/security/pam_env.so debug
auth sufficient /lib/security/pam_unix.so debug
auth sufficient /lib/security/pam_krb5.so try_first_pass debug
auth required /lib/security/pam_deny.so debug
account sufficient /lib/security/pam_localuser.so debug
account sufficient /lib/security/pam_ldap.so debug
password required /lib/security/pam_cracklib.so retry=3 type=
password required /lib/security/pam_krb5.so
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
#session required /lib/security/pam_ldap.so
session required /lib/security/pam_limits.so debug
session required /lib/security/pam_unix.so debug
you will want to replace pam_krb5.so with pam_ldap.so in the auth section.
Notice the pam_localuser in the account section.
and my /etc/pam.d/login looks like this:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
\
Igmar \
Palsenberg To: pam-list@redhat.com \
<maillist@jdime cc: \
dia.nl> Subject: Re: ldap authentication \
Sent by: \
pam-list-admin@ \
redhat.com \
\
\
09/20/2002 \
03:22 AM \
Please respond \
to pam-list \
\
\
> But that doesn't explain why root is unable to login.
Because the auth fails if it can't contact the LDAP server, it has no
knowledge in advance that root isn't in LDAP.
Igmar
_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic