'[pamldap] pam_filter ignore?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] pam_filter ignore?
From:       Ralf Duda <duda () jobpilot ! de>
Date:       2000-10-06 13:43:36
[Download RAW message or body]

Hello,

we use the pam_ldap 74 and the nss_ldap 116 on a openldap 1.2.10.

Everything is quite fine but...

Every valid user in our Database has a activ attribute, set to 1 if
activ and 0 if not, and a attribute with the servername to which the
user can connect. The reason is that _only_ activ user with the exact
hostaccount get a chance to connect.

I put this extra Information into the ldap.conf as pam_filter. To be
sure I have edit the pam_ldap.c, so the library write always the filter
string into the logfile. At this point everything works.

ldap.conf:
pam_filter &(host=mailserver)(activ=1)

This filter will change to (&(&(host=mailserver)(activ=1))(uid=defoo)
and works very nice.

Now I start to configure my pam.d/login file.
If I do it in the following way, only valid LDAP user with the right
attributes are successful:

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so

auth       required   /lib/security/pam_ldap.so
account    required   /lib/security/pam_ldap.so
password   required   /lib/security/pam_ldap.so

session    required     /lib/security/pam_unix_session.so

But nobody in the /etc/passwd like root can login.

So I configure the pam.d/login file in the following way:
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so

auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_passwd.so nullok
use_first_pass

account    sufficient   /lib/security/pam_ldap.so
account       required     /lib/security/pam_unix_passwd.so nullok
use_first_pass

password   sufficient   /lib/security/pam_ldap.so
password       required     /lib/security/pam_unix_passwd.so nullok
use_first_pass debug

session    required     /lib/security/pam_unix_session.so

Now I can login as root and with the LDAP account, but with _every_ LDAP
account.
In the logfile I see the filter twice and the pam_unix info:
Oct  6 15:14:15 mailserver login[30768]: pam_ldap: FILTER
(&(&(host=mailserver)(activ=1))(uid=defoo))
Oct  6 15:14:16 mailserver login[30768]: pam_ldap: FILTER
(&(&(host=mailserver)(activ=1))(uid=defoo))
Oct  6 15:14:16 mailserver PAM_unix[30768]: (login) session opened for
user defoo by (uid=0)

In my nsswitch.conf is the order:
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns
networks:       files

I would be very happy if someone can give me a hint.

best regards,
Ralf Duda


PS: The explanation from David about the use/try_first_pass - GREAT!
Thank's very much!!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic