Re: LDAP authentication with PAM
>>>>> "Steve" == Steve Langasek <email@example.com> writes:
Steve> session [success=1 default=ok] pam_unix.so
Steve> session required pam_ldap.so
Thanks. I think that is just what I was looking for. Errr... except I
think you meant default=ignore, not default=ok, as OK seems to mean
return the error.
Steve> session optional pam_lastlog.so
Steve> session optional pam_motd.so
Steve> session optional pam_mail.so standard noenv
Steve> This is a Linux-specific extension to PAM which has been
Steve> available for some time now. It's documented in section
Steve> 4.1 of the Linux-PAM System Administrators' Guide:
Steve> 'Configuration file syntax'. See the libpam-doc package
Steve> for the relevant documentation.
Steve> However, there's probably an easier way to do what you want
Steve> here. The pam_unix session module is a complete no-op, and
Steve> I suspect that this may be true for pam_ldap as well. In
Steve> which case, you can pick one of [pam_unix, pam_ldap,
Steve> pam_permit], put that at the top, and put your other three
Steve> modules immediately after.
Ok. Now I have:
[auth stuff removed]
auth required pam_nologin.so
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so try_first_pass
auth optional pam_krb5.so try_first_pass
auth optional pam_group.so
account [success=1 default=ignore] pam_ldap.so
account required pam_unix.so
account required pam_permit.so
session [success=1 default=ignore] pam_ldap.so
session required pam_unix.so
session required pam_permit.so
[session stuff removed]
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_ldap.so use_authtok
1. So if pam_ldap ever fails it will drop back to pam_unix.
2. I only support pam_ldap password for changing passwords.
3. I could assume that both pam_ldap and pam_unix for session are NOPs
(and both work even with the SLAP server down, but I though this way
would be more "future" safe.
4. success=1 means jump ahead one rule. But it seems to get very
confused (read: does not work) if that rule does not exist, hence my
use of pam_permit to make sure.
5. I only use pam_unix for login and pam_krb5 for login and
gdm. pam_krb5 is optional, which makes it much the same as typing in
kinit after logging in. Everything else relies on LDAP.
Brian May <firstname.lastname@example.org>