Re: LDAP authentication with PAM

To: debian-devel@lists.debian.org
Subject: Re: LDAP authentication with PAM
From: Brian May <bam@debian.org>
Date: 15 Apr 2001 09:37:20 +1000
Message-id: <[🔎] 84bspzgij3.fsf@snoopy.apana.org.au>
In-reply-to: <[🔎] Pine.LNX.4.30.0104141031430.5563-100000@tennyson.netexpress.net>
References: <[🔎] 84n19jhma8.fsf@snoopy.apana.org.au> <[🔎] Pine.LNX.4.30.0104141031430.5563-100000@tennyson.netexpress.net>

>>>>> "Steve" == Steve Langasek <vorlon@netexpress.net> writes:

    Steve> session    [success=1 default=ok] pam_unix.so
    Steve> session    required   pam_ldap.so

Thanks. I think that is just what I was looking for. Errr... except I
think you meant default=ignore, not default=ok, as OK seems to mean
return the error.

    Steve> session    optional   pam_lastlog.so
    Steve> session    optional   pam_motd.so
    Steve> session    optional   pam_mail.so standard noenv

    Steve> This is a Linux-specific extension to PAM which has been
    Steve> available for some time now.  It's documented in section
    Steve> 4.1 of the Linux-PAM System Administrators' Guide:
    Steve> 'Configuration file syntax'.  See the libpam-doc package
    Steve> for the relevant documentation.

Thanks again.

    Steve> However, there's probably an easier way to do what you want
    Steve> here.  The pam_unix session module is a complete no-op, and
    Steve> I suspect that this may be true for pam_ldap as well.  In
    Steve> which case, you can pick one of [pam_unix, pam_ldap,
    Steve> pam_permit], put that at the top, and put your other three
    Steve> modules immediately after.

Ok. Now I have:

[auth stuff removed]

auth    required                        pam_nologin.so
auth    [success=1 default=ignore]      pam_ldap.so
auth    required                        pam_unix.so try_first_pass
auth    optional                        pam_krb5.so try_first_pass

auth    optional                        pam_group.so

account [success=1 default=ignore]      pam_ldap.so
account required                        pam_unix.so
account required                        pam_permit.so

session [success=1 default=ignore]      pam_ldap.so
session required                        pam_unix.so
session required                        pam_permit.so

[session stuff removed]

password required                       pam_cracklib.so retry=3 minlen=6 difok=3
password required                       pam_ldap.so use_authtok


Notes:

1. So if pam_ldap ever fails it will drop back to pam_unix.

2. I only support pam_ldap password for changing passwords.

3. I could assume that both pam_ldap and pam_unix for session are NOPs
(and both work even with the SLAP server down, but I though this way
would be more "future" safe.

4. success=1 means jump ahead one rule. But it seems to get very
confused (read: does not work) if that rule does not exist, hence my
use of pam_permit to make sure.

5. I only use pam_unix for login and pam_krb5 for login and
gdm. pam_krb5 is optional, which makes it much the same as typing in
kinit after logging in. Everything else relies on LDAP.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: LDAP authentication with PAM
  - From: Brian May <bam@debian.org>
- Re: LDAP authentication with PAM
  - From: Steve Langasek <vorlon@netexpress.net>

References:
- Re: LDAP authentication with PAM
  - From: Brian May <bam@debian.org>
- Re: LDAP authentication with PAM
  - From: Steve Langasek <vorlon@netexpress.net>

Prev by Date: Re: Bugs against Debian CD's
Next by Date: Re: suggestion: single net-boot floppy
Previous by thread: Re: LDAP authentication with PAM
Next by thread: Re: LDAP authentication with PAM
Index(es):
- Date
- Thread