[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pam-list
Subject:    pam_unix, pam_ldap, and nss
From:       ben thielsen <btb () bitrate ! net>
Date:       2010-06-08 3:58:26
Message-ID: F73DF610-3AFC-4400-9C9C-3EBF2E4CEF7C () bitrate ! net
[Download RAW message or body]

hi-

i've been experimenting with ldap authentication combined with traditional unix \
authentication, and have what appears to be a working configuration - but, in the \
process, it's raised some questions.  my testing has been only with sshd for the \
moment.  at the bottom of the message is my current sshd pam config.  i've included \
the various common-* includes in the file as though they were part of it.

i'm specifically wondering about the account section.  using the more basic \
configuration:

account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
account	[success=1 default=ignore]				pam_ldap.so minimum_uid=1000 debug
account	requisite						pam_deny.so
account	required						pam_permit.so

ldap users were allowed in when i wasn't expecting them to be.  i'm using openldap w/ \
the nssov overlay and the nss-pam-ldapd stub libraries.  isolating just the unix \
module or just the ldap module resulted in each type working as desired \
independently, but adding in the unix module circumvented the ldap group membership \
requirements.  since this system is also using ldap for nss - getent passwd, group, \
and shadow all expose ldap data, my sense was that this was the reason behind this \
behavior (although i don't quite understand specifically why).

my approach was to use localuser to identify if the user was local or in ldap, and \
then if found in ldap, apply the ldap module first, followed by the unix module only \
on success.  it seems to work, but feels a bit convoluted.  is this sane?  how is \
this typically handled, when nss uses both local files and ldap, and the pam uses \
both local and ldap modules with account restrictions coming from the ldap module?  i \
also wanted to keep the unix module first in the stack, to minimize delays if the \
ldap server was not reachable.

in the past i'd have used only localusers and not unix, which would simplify the \
account stack, but i've been cautioned previously on the list that doing so would \
result in things like password expiry not being honored, etc.

i'd greatly appreciate any criticism, etc. offered on my approach to solving the \
above, and on the below config in general.

regards
-ben

# sshd pam config
auth		required				pam_env.so
auth		required				pam_env.so envfile=/etc/default/locale

@include common-auth
### common-auth ###
auth		[success=2 default=ignore]		pam_unix.so nullok_secure
auth		[success=1 default=ignore]		pam_ldap.so use_first_pass minimum_uid=1000 debug
auth		requisite				pam_deny.so
auth		required				pam_permit.so
### end common-auth ###

account		required				pam_nologin.so

@include common-account
### common-account ###
# send directly to unix module if a local user, send to ldap module first if not
account		[success=1 default=ignore]		pam_localuser.so
account		[success=ok default=1]			pam_ldap.so minimum_uid=1000 debug
account		[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
account		requisite				pam_deny.so
account		required				pam_permit.so
### end common-account ###

@include common-session
### common-session ###
session		required				pam_unix.so
session		optional				pam_ldap.so minimum_uid=1000 no_warn debug
session		optional				pam_mkhomedir.so
### end common-session ###

session		optional				pam_motd.so # [1]
session		optional				pam_mail.so standard noenv
session		required				pam_limits.so

@include common-password
### common-password ###
password	requisite				pam_passwdqc.so min=disabled,24,11,7,7
password	[success=2 default=ignore]		pam_unix.so use_authtok try_first_pass sha512 \
obscure password	[success=1 default=ignore]		pam_ldap.so use_authtok try_first_pass \
minimum_uid=1000 debug password	requisite				pam_deny.so
password	required				pam_permit.so
### end common-password ###

_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://www.redhat.com/mailman/listinfo/pam-list


[prev in list] [next in list] [prev in thread] [next in thread]