[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: [pamldap] pam_filter ignore?
From: Ralf Duda <duda () jobpilot ! de>
Date: 2000-10-06 13:43:36
[Download RAW message or body]
Hello,
we use the pam_ldap 74 and the nss_ldap 116 on a openldap 1.2.10.
Everything is quite fine but...
Every valid user in our Database has a activ attribute, set to 1 if
activ and 0 if not, and a attribute with the servername to which the
user can connect. The reason is that _only_ activ user with the exact
hostaccount get a chance to connect.
I put this extra Information into the ldap.conf as pam_filter. To be
sure I have edit the pam_ldap.c, so the library write always the filter
string into the logfile. At this point everything works.
ldap.conf:
pam_filter &(host=mailserver)(activ=1)
This filter will change to (&(&(host=mailserver)(activ=1))(uid=defoo)
and works very nice.
Now I start to configure my pam.d/login file.
If I do it in the following way, only valid LDAP user with the right
attributes are successful:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_unix_session.so
But nobody in the /etc/passwd like root can login.
So I configure the pam.d/login file in the following way:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_passwd.so nullok
use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_passwd.so nullok
use_first_pass
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_unix_passwd.so nullok
use_first_pass debug
session required /lib/security/pam_unix_session.so
Now I can login as root and with the LDAP account, but with _every_ LDAP
account.
In the logfile I see the filter twice and the pam_unix info:
Oct 6 15:14:15 mailserver login[30768]: pam_ldap: FILTER
(&(&(host=mailserver)(activ=1))(uid=defoo))
Oct 6 15:14:16 mailserver login[30768]: pam_ldap: FILTER
(&(&(host=mailserver)(activ=1))(uid=defoo))
Oct 6 15:14:16 mailserver PAM_unix[30768]: (login) session opened for
user defoo by (uid=0)
In my nsswitch.conf is the order:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
I would be very happy if someone can give me a hint.
best regards,
Ralf Duda
PS: The explanation from David about the use/try_first_pass - GREAT!
Thank's very much!!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic