[ale] [Fwd: Re: OpenLDAP: So close and yet so far]

Jerald Sheets questy at gmail.com
Wed Jun 3 14:20:47 EDT 2009


What does your /etc/nsswitch.conf look like for passwd/shadow/group?

passwd:     files ldap
shadow:     files ldap
group:      files ldap


--j

On Wed, Jun 3, 2009 at 1:45 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com> wrote:

> That makes it worse.  See log output with it both ways at
> http://pastebin.com/m5fca56.
>
> With the pam_ldap line where it was, I'm at least able to get "(Invalid
> credentials)" returned from pam_ldap;when moved up above the pam_unix line,
> pam_ldap never makes a response.
>
>
>
> http://pastebin.com/m5fca56
>
>
> On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>
>> move the pam_ladp line up one. The line above it will always capture
>> an event and the ldap line is never called. pam is a sequential
>> process down the chain.
>>
>> In fact, if you want to tighten the security, put the pam_deny line
>> before any "sufficient" lines in auth.
>>
>> On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com>
>> wrote:
>> > Jerald -
>> >
>> > That line is in there...in fact, let me paste the whole system-auth
>> file:
>> >
>> > #%PAM-1.0
>> >
>> > auth            required        pam_env.so
>> > auth            sufficient      pam_unix.so try_first_pass likeauth
>> nullok
>> > auth            sufficient      pam_ldap.so use_first_pass
>> > auth            required        pam_deny.so
>> >
>> > account         required        pam_unix.so
>> > account         sufficient      pam_ldap.so
>> >
>> > password        required        pam_cracklib.so difok=2 minlen=8
>> dcredit=2
>> > ocredit=2 try_first_pass retry=3
>> > password        sufficient      pam_unix.so try_first_pass nullok md5
>> shadow
>> > use_authtok
>> > password        sufficient      pam_ldap.so use_authtok
>> > password        required        pam_deny.so
>> >
>> > session         required        pam_limits.so
>> > session         required        pam_unix.so
>> > session         optional        pam_ldap.so
>> >
>> >
>> >>
>> >>
>> >> Also, to let pam know about ldap, look for a line like so:
>> >>
>> >> auth        sufficient    pam_ldap.so use_first_pass
>> >>
>> >> in /etc/pam.d/system-auth
>> >>
>> >> Also, if you want to have home directories automagically made for
>> >> first-time logins, you need:
>> >>
>> >> session     required      pam_mkhomedir.so
>> >
>> > Cool trick - dunno if I'll use that now but it's good to know.
>> >
>> > Thanks,
>> > Jeff
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> >
>> >
>>
>>
>>
>> --
>> --
>> James P. Kinney III
>> Actively in pursuit of Life, Liberty and Happiness
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>


-- 
---
Jerald M. Sheets jr.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090603/05fba2dd/attachment-0001.html 


More information about the Ale mailing list