[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ispman: pam/ldap+flat files


On Wed, Jul 17, 2002 at 09:40:23PM -0400, Chris Zubrzycki wrote:
> I am brand new to openldap though. I set up ispman, and can use it to 
> add domains and such, but I am not sure how to add ldap to the pam 
> files so that it checks for local accounts, and if none, it then checks 
> ldap. I saw some sample conf files on the net, but they did not come 
> with any documentation.

Initial PAM efforts had good documentation, afterwards it seems that
people had just been hacking up additional modules for it.

I will include my /etc/pam.d/login file here:
# Authentication: try unix first, then LDAP if that fails

# Deny globally (maybe)
auth    requisite  	pam_securetty.so
auth    requisite  	pam_nologin.so
# Make it look pretty
auth	required  	pam_issue.so
auth	required	pam_env.so
# Autenticate
auth	sufficient	pam_unix_auth.so
auth	sufficient	pam_smb_auth.so	use_first_pass
auth	sufficient	pam_ldap.so	use_first_pass ignore_unknown_user
auth	required	pam_deny.so

# Note: ldap says it does not know unknown users, this reveals that
# fact to the person logging in.  So we let them fall through and
# fail.  This way we also myeld a homogeneos look to the user.

# Account: try unix first, then LDAP if that fails

account	requisite	pam_access.so
account	sufficient	pam_unix_acct.so
account	required	pam_ldap.so

# Session: issue message of the day, show the users mail
# 	   doubt that this works with Maildir

# Only for Home-Servers
session    required	pam_mkhomedir.so
# More messages to the user
session    optional   	pam_motd.so
session    optional	pam_lastlog.so
session    optional   	pam_mail.so dir=~/Maildir/ empty
# Notify the sysadmin about the session - syslog
session    required	pam_unix_session.so


Note the difference between the authentication and the "account"
step.  The first establishes, if 

 a) any user is allowed (at this time, from that host, etc.)
 b) if the user does prove to be him/her to his/her account (authentication)

The second step checks, if the user (now authenticated) is allowed to
access his/her account (at this time, until payment ...)

The "session" (setup) step, does not involve ldap and is not supported
either, although principially it could be nice too.

However note, that there exist other approach to Autentication
databases to, nsswitch!

With the following setup:
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      files
services:       files
ethers:         files
rpc:            files

netgroup:       nis

you make some programms check first the /etc/passwd file to see if it
finds the user, and then the ldap database.

This is very nice, because you can autenticate root, and some "local"
users, even if the ldap server does not work, or the network
connection gets lost.

I have both aproaches on my home-network, and the sad thing about it
is, that actually Debian is not consistent about either, so things do
not always work out well (to save the honor of Debian: at my knowledge
there is no system which works consistently).

> Could anyone point me to some good resources to get me going? I prefer 
> online for the moment, I am planning on getting a book or two later.


Hope this Megamail helped something out.

Best Regards,


To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: