Re: ispman: pam/ldap+flat files
Hello!
On Wed, Jul 17, 2002 at 09:40:23PM -0400, Chris Zubrzycki wrote:
...
> I am brand new to openldap though. I set up ispman, and can use it to
> add domains and such, but I am not sure how to add ldap to the pam
> files so that it checks for local accounts, and if none, it then checks
> ldap. I saw some sample conf files on the net, but they did not come
> with any documentation.
Initial PAM efforts had good documentation, afterwards it seems that
people had just been hacking up additional modules for it.
I will include my /etc/pam.d/login file here:
---------------------------------
# Authentication: try unix first, then LDAP if that fails
# Deny globally (maybe)
auth requisite pam_securetty.so
auth requisite pam_nologin.so
# Make it look pretty
auth required pam_issue.so
auth required pam_env.so
# Autenticate
auth sufficient pam_unix_auth.so
auth sufficient pam_smb_auth.so use_first_pass
auth sufficient pam_ldap.so use_first_pass ignore_unknown_user
auth required pam_deny.so
# Note: ldap says it does not know unknown users, this reveals that
# fact to the person logging in. So we let them fall through and
# fail. This way we also myeld a homogeneos look to the user.
# Account: try unix first, then LDAP if that fails
account requisite pam_access.so
account sufficient pam_unix_acct.so
account required pam_ldap.so
# Session: issue message of the day, show the users mail
# doubt that this works with Maildir
# Only for Home-Servers
session required pam_mkhomedir.so
# More messages to the user
session optional pam_motd.so
session optional pam_lastlog.so
session optional pam_mail.so dir=~/Maildir/ empty
# Notify the sysadmin about the session - syslog
session required pam_unix_session.so
----------------------------------
Note the difference between the authentication and the "account"
step. The first establishes, if
a) any user is allowed (at this time, from that host, etc.)
b) if the user does prove to be him/her to his/her account (authentication)
The second step checks, if the user (now authenticated) is allowed to
access his/her account (at this time, until payment ...)
The "session" (setup) step, does not involve ldap and is not supported
either, although principially it could be nice too.
However note, that there exist other approach to Autentication
databases to, nsswitch!
With the following setup:
--------------------------------------
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: nis
---------------------------------------
you make some programms check first the /etc/passwd file to see if it
finds the user, and then the ldap database.
This is very nice, because you can autenticate root, and some "local"
users, even if the ldap server does not work, or the network
connection gets lost.
I have both aproaches on my home-network, and the sad thing about it
is, that actually Debian is not consistent about either, so things do
not always work out well (to save the honor of Debian: at my knowledge
there is no system which works consistently).
>
> Could anyone point me to some good resources to get me going? I prefer
> online for the moment, I am planning on getting a book or two later.
???
Hope this Megamail helped something out.
Best Regards,
Jorge-León
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: