'Re: [pamldap] fedora core 1 / pam_groupdn / proper order in pam config'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] fedora core 1 / pam_groupdn / proper order in	pam	config
From:       Fran Fabrizio <fran () cis ! uab ! edu>
Date:       2004-07-06 15:55:23
Message-ID: 40EACB6B.5000702 () cis ! uab ! edu
[Download RAW message or body]


Yeah - the silly thing is that if you have pam_ldap before pam_pwdb in 
the pam.d setup and you log in with a local user, you do see the 
friendly message from pam_ldap before pam_pwdb lets you in. Of course, 
you don't really want to see it at that time, since it is a valid local 
user who eventually gets let in.  So you see it when you don't need to, 
and don't see it when you need to. :-)  I guess you'd need a "only 
display this error message if all other modules on the auth stack also 
fail" in this case.  But I suspect most people are like my setup and 
want to check local users first, and then ldap.  It would be great if we 
could get it working in that scenario.

-Fran



Eric Andresen wrote:
> The problem  is that there is no TTY open for SSH to give the message, I
> believe. I too would prefer that the message came through, though.
> 
> Does anyone happen to know if that's possible?
> 
> -- Eric
> 
> On Fri, 2004-07-02 at 10:18, Fran Fabrizio wrote:
> 
>>Eric Andresen wrote:
>>
>>>Try using pam_pwdb instead of pam_unix.. it only authenticates the
>>>old-style /etc/passwd and /etc/shadow files.
>>
>>Ok, I got everything working now with pam_ldap.  The reason it wasn't 
>>allowing privileged users in (from my most recent email in this thread) 
>>is that pam_ldap was looking for a memberUid in the group of something 
>>like "uid=joeuser,ou=People,dc=cis,dc=uab,dc=edu" and I had added it to 
>>the group as just "joeuser".  I guess I need to use the full form and do 
>>a little better job of "thinking in LDAP". :-)
>>
>>Here one final issue I'm having, where baduser is not in the required 
>>group...
>>
>>[fran@fran fran]$ ssh baduser@fran
>>baduser@fran's password:
>>Read from remote host fran: Connection reset by peer
>>Connection to fran closed.
>>
>>Is this typical?  I see from the pam_ldap.c code that it's supposed to 
>>say "You must be a memberUid of 
>>cn=goodgroup,ou=Group,dc=cis,dc=uab,dc=edu in order to login", but I 
>>don't see that message, I just get the message above.  Something a 
>>little more friendly for our users would be better.
>>
>>Thanks,
>>Fran


-- 
Fran Fabrizio
Senior Systems Analyst
Department of Computer and Information Sciences
University of Alabama at Birmingham
http://www.cis.uab.edu/
205.934.0653

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic