Re: [pamldap] pam_ldap.so and Debian...making it work!

To: Tim Jordan <timothy_jordan@labor.state.ak.us>
Cc: Joshua McClintock <joshm@singlestep.com>, debian-testing <debian-testing@lists.debian.org>, Pam LDAP List <pamldap@padl.com>
Subject: Re: [pamldap] pam_ldap.so and Debian...making it work!
From: Brendon Colby <bren@lightedge.com>
Date: Fri, 30 Apr 2004 09:46:20 -0500
Message-id: <[🔎] 1083336380.19150.41.camel@bren.lh.net>
Reply-to: bren@lightedge.com
In-reply-to: <[🔎] 1083247262.1587.24.camel@anc-debian>
References: <[🔎] 1083236095.1591.7.camel@anc-debian> <1083284618.2816.111.camel@rancor.singlestep.com> <[🔎] 1083247262.1587.24.camel@anc-debian>

On Thu, 2004-04-29 at 09:01, Tim Jordan wrote:
> I noticed that the common-session is included under the login config. 
> Although; I can't think of what session would have to do with user
> authentication. 
> 
> Also, since there is "auth" lines in the login config perhaps I should
> include the pam_ldap.so at the top of the login config?  
> 
> **I included comments showing how the respective config file is set.**
> 
> Debian Testing /etc/pam.d/login:
> auth        requisite        pam_securetty.so     #Disallows root
> logins except on tty's..
> auth        requisite        pam_nologin.so     #Disallows other than
> root logins when /etc/nologin exist
> auth        required        pam_env.so          #Parses
> /etc/environment
> 
> @include    common-auth                   #auth    required   
> pam_login.so
> @include    common-account             #account     required   
> pam_login.so
> @include    common-session             #session    required   
> pam_unix.so
> 
> session        optional    pam_lastlog.so # prints last login info
> upon succesful login
> session        optional    pam_motd.so  # prints the motd upon
> succesful loing
> session        optional    pam_mail.so    standard    noenv # prints
> status of users mbx upon login
> 
> 
> Is there a "test" that would ensure that pam_ldap.so is being called? 
> Just looking at the auth.log is not providing much except pam_unix.so
> entries.
> 
> Thanks,
> Tim Jordan

I just modified /etc/pam.d/login a little:

auth       requisite  pam_securetty.so
auth       requisite  pam_nologin.so
auth       required   pam_env.so
auth       required   pam_ldap.so
auth       required   pam_unix.so nullok use_first_pass
account   [module_unknown=ignore default=die success=done
user_unknown=ignore \
           system_err=ignore service_err=ignore authinfo_unavail=ignore]
\
           pam_ldap.so
account    required   pam_unix.so 
session    required   pam_unix.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv
password   sufficient pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5


This is off a stock Debian Woody box. Local logins do auth against LDAP.
It works great, unless my LDAP server is unavailable. Then, the box is
locked out. This is why I haven't put this into production yet.

If you want ssh to auth against LDAP, then you have to modify
/etc/pam.d/ssh using the same lines as above.

-- 
Brendon Colby
Unix Systems Administrator
Lightedge Solutions, Inc.

Reply to:

Follow-Ups:
- Re: [pamldap] pam_ldap.so and Debian...making it work!
  - From: Tim Jordan <timothy_jordan@labor.state.ak.us>

References:
- pam_ldap.so and Debian...making it work!
  - From: Tim Jordan <timothy_jordan@labor.state.ak.us>
- Re: [pamldap] pam_ldap.so and Debian...making it work!
  - From: Tim Jordan <timothy_jordan@labor.state.ak.us>

Prev by Date: Re: Hardware detection question/problem
Next by Date: Re: [pamldap] pam_ldap.so and Debian...making it work!
Previous by thread: Re: [pamldap] pam_ldap.so and Debian...making it work!
Next by thread: Re: [pamldap] pam_ldap.so and Debian...making it work!
Index(es):
- Date
- Thread