Re: LDAP authentication with PAM
Previously Brian May wrote:
> However what about:
> pam_env, pam_limits, pam_securetty, pam_lastlog, pam_motd, pam_issue, pam_mail?
Those only make sense for interactive sessions so they aren't listed
in most files.
> Also, anyone know why I have a pppd and a ppp file?
Bug in pppd, one of them is probably a left-over configuration file
that the package forgot to remove.
> I can't even find any information on pam_pwdb. It doesn't seem to
> be used in any case.
pam_pwdb is obsolete, forget about it :)
> Do others keep /etc/shadow around for this reason too, or do you assume LDAP
> will be running all the time in order to simplify this stuff?
No, it would suck a bit if you boot into maintenance or single-user mode
and you couldn't login. Having /etc/shadow around is definitely useful.
> Oh, if no password service is found inside /etc/pam.d/login (for
> instance) will it look in /etc/pam.d/other? I think it does.
Not sure if it does actually.
> Actually I was pushing ctrl^C trying to abort... Can't it make up its
> mind if its updating UNIX or LDAP? (this only happens when done as
> root with a /etc/ldap.secret file).
That's not a bug, it's a feature. You have to tell the pam_ldap module
to first try the password that the pam_unix module collected. Again,
this is nicely documented in the PAM documentation :)
The correct snippet would be:
auth sufficient pam_unix.so
auth required pam_ldap.so try_first_pass
account sufficient pam_unix.so
account required pam_ldap.so
password sufficient pam_unix.so
password required pam_ldap.so use_authtok
Wichert.
--
________________________________________________________________
/ Generally uninteresting signature - ignore at your convenience \
| wichert@cistron.nl http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Reply to: