[ale] [Fwd: Re: OpenLDAP: So close and yet so far]

Jeff Hubbs jeffrey.hubbs at gmail.com
Wed Jun 3 13:45:03 EDT 2009 

That makes it worse.  See log output with it both ways at
http://pastebin.com/m5fca56.

With the pam_ldap line where it was, I'm at least able to get "(Invalid
credentials)" returned from pam_ldap;when moved up above the pam_unix line,
pam_ldap never makes a response.



http://pastebin.com/m5fca56

On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <jim.kinney at gmail.com> wrote:

> move the pam_ladp line up one. The line above it will always capture
> an event and the ldap line is never called. pam is a sequential
> process down the chain.
>
> In fact, if you want to tighten the security, put the pam_deny line
> before any "sufficient" lines in auth.
>
> On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com>
> wrote:
> > Jerald -
> >
> > That line is in there...in fact, let me paste the whole system-auth file:
> >
> > #%PAM-1.0
> >
> > auth            required        pam_env.so
> > auth            sufficient      pam_unix.so try_first_pass likeauth
> nullok
> > auth            sufficient      pam_ldap.so use_first_pass
> > auth            required        pam_deny.so
> >
> > account         required        pam_unix.so
> > account         sufficient      pam_ldap.so
> >
> > password        required        pam_cracklib.so difok=2 minlen=8
> dcredit=2
> > ocredit=2 try_first_pass retry=3
> > password        sufficient      pam_unix.so try_first_pass nullok md5
> shadow
> > use_authtok
> > password        sufficient      pam_ldap.so use_authtok
> > password        required        pam_deny.so
> >
> > session         required        pam_limits.so
> > session         required        pam_unix.so
> > session         optional        pam_ldap.so
> >
> >
> >>
> >>
> >> Also, to let pam know about ldap, look for a line like so:
> >>
> >> auth        sufficient    pam_ldap.so use_first_pass
> >>
> >> in /etc/pam.d/system-auth
> >>
> >> Also, if you want to have home directories automagically made for
> >> first-time logins, you need:
> >>
> >> session     required      pam_mkhomedir.so
> >
> > Cool trick - dunno if I'll use that now but it's good to know.
> >
> > Thanks,
> > Jeff
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> >
> >
>
>
>
> --
> --
> James P. Kinney III
> Actively in pursuit of Life, Liberty and Happiness
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090603/853f68e0/attachment.html

More information about the Ale mailing list