Re: [pamldap] pam_ldap.so and Debian...making it work!
On Thu, 2004-04-29 at 09:01, Tim Jordan wrote:
> I noticed that the common-session is included under the login config.
> Although; I can't think of what session would have to do with user
> authentication.
>
> Also, since there is "auth" lines in the login config perhaps I should
> include the pam_ldap.so at the top of the login config?
>
> **I included comments showing how the respective config file is set.**
>
> Debian Testing /etc/pam.d/login:
> auth requisite pam_securetty.so #Disallows root
> logins except on tty's..
> auth requisite pam_nologin.so #Disallows other than
> root logins when /etc/nologin exist
> auth required pam_env.so #Parses
> /etc/environment
>
> @include common-auth #auth required
> pam_login.so
> @include common-account #account required
> pam_login.so
> @include common-session #session required
> pam_unix.so
>
> session optional pam_lastlog.so # prints last login info
> upon succesful login
> session optional pam_motd.so # prints the motd upon
> succesful loing
> session optional pam_mail.so standard noenv # prints
> status of users mbx upon login
>
>
> Is there a "test" that would ensure that pam_ldap.so is being called?
> Just looking at the auth.log is not providing much except pam_unix.so
> entries.
>
> Thanks,
> Tim Jordan
I just modified /etc/pam.d/login a little:
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_ldap.so
auth required pam_unix.so nullok use_first_pass
account [module_unknown=ignore default=die success=done
user_unknown=ignore \
system_err=ignore service_err=ignore authinfo_unavail=ignore]
\
pam_ldap.so
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
This is off a stock Debian Woody box. Local logins do auth against LDAP.
It works great, unless my LDAP server is unavailable. Then, the box is
locked out. This is why I haven't put this into production yet.
If you want ssh to auth against LDAP, then you have to modify
/etc/pam.d/ssh using the same lines as above.
--
Brendon Colby
Unix Systems Administrator
Lightedge Solutions, Inc.
Reply to: