[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secure-shell
Subject:    Re: ssh, pam, and ldap
From:       Richard Ray <rray () mstc ! state ! ms ! us>
Date:       2009-01-27 22:59:44
Message-ID: Pine.LNX.4.64.0901271656240.4506 () rray ! drdc ! mstc ! ms ! gov
[Download RAW message or body]

On Tue, 27 Jan 2009, Jesse C. Waters wrote:

> Richard Ray wrote:
>> I have configured pam to authenticate ssh via ldap
>> No problems with that
>> How can I configure pam/ssh to use ldap for certain accounts only and unix 
>> password for other accounts
>> 
>> Running CentOS 5.2
>> 
>> Thanks
>> Richard Ray
>> 
>> 
> that is controlled with your /etc/nsswitch.conf
>
> passwd files ldap
> group files ldap
>
> check if user exists in /etc/passwd 1st, then ldap
>
> so if you have a local account joe and an ldap account joe, it should use 
> local account 1st. if you flip it around passwd ldap files then vs.
>
> to restrict certain ldap groups to logging in you need add "pam_groupdn" to 
> your ldap.conf file.
>
> All these relate to pam & ldap configurations, I am not a pam expert. Test 
> your configs, make sure you didn't allow anyone into your system as root 
> without a passwd. (did that once, glad it was a vm).

I am no pam expert but this is what I came up with
Create a local group ldap_users
Add users to ldap_users that will authenticate via ldap
This is my /etc/pam.d/sshd

auth       required     pam_nologin.so
auth       required     pam_localuser.so
auth       required      pam_env.so
auth       sufficient    pam_unix.so try_first_pass nullok
auth       required pam_succeed_if.so debug user ingroup ldap_users
auth       sufficient    /lib/security/pam_ldap.so
auth       required      pam_deny.so
account    required     pam_nologin.so
account    sufficient   /lib/security/pam_ldap.so
account    include      system-auth
password   sufficient   /lib/security/pam_ldap.so
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth

It works for me
I would appreciate a bit of scrutiny

Richard


>
> HTH,
>
> Jesse Waters
>
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]