[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] fedora core 1 / pam_groupdn / proper order in pam config
From: Fran Fabrizio <fran () cis ! uab ! edu>
Date: 2004-07-06 15:55:23
Message-ID: 40EACB6B.5000702 () cis ! uab ! edu
[Download RAW message or body]
Yeah - the silly thing is that if you have pam_ldap before pam_pwdb in
the pam.d setup and you log in with a local user, you do see the
friendly message from pam_ldap before pam_pwdb lets you in. Of course,
you don't really want to see it at that time, since it is a valid local
user who eventually gets let in. So you see it when you don't need to,
and don't see it when you need to. :-) I guess you'd need a "only
display this error message if all other modules on the auth stack also
fail" in this case. But I suspect most people are like my setup and
want to check local users first, and then ldap. It would be great if we
could get it working in that scenario.
-Fran
Eric Andresen wrote:
> The problem is that there is no TTY open for SSH to give the message, I
> believe. I too would prefer that the message came through, though.
>
> Does anyone happen to know if that's possible?
>
> -- Eric
>
> On Fri, 2004-07-02 at 10:18, Fran Fabrizio wrote:
>
>>Eric Andresen wrote:
>>
>>>Try using pam_pwdb instead of pam_unix.. it only authenticates the
>>>old-style /etc/passwd and /etc/shadow files.
>>
>>Ok, I got everything working now with pam_ldap. The reason it wasn't
>>allowing privileged users in (from my most recent email in this thread)
>>is that pam_ldap was looking for a memberUid in the group of something
>>like "uid=joeuser,ou=People,dc=cis,dc=uab,dc=edu" and I had added it to
>>the group as just "joeuser". I guess I need to use the full form and do
>>a little better job of "thinking in LDAP". :-)
>>
>>Here one final issue I'm having, where baduser is not in the required
>>group...
>>
>>[fran@fran fran]$ ssh baduser@fran
>>baduser@fran's password:
>>Read from remote host fran: Connection reset by peer
>>Connection to fran closed.
>>
>>Is this typical? I see from the pam_ldap.c code that it's supposed to
>>say "You must be a memberUid of
>>cn=goodgroup,ou=Group,dc=cis,dc=uab,dc=edu in order to login", but I
>>don't see that message, I just get the message above. Something a
>>little more friendly for our users would be better.
>>
>>Thanks,
>>Fran
--
Fran Fabrizio
Senior Systems Analyst
Department of Computer and Information Sciences
University of Alabama at Birmingham
http://www.cis.uab.edu/
205.934.0653
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic