[ale] [Fwd: Re: OpenLDAP: So close and yet so far]

Jerald Sheets questy at gmail.com
Wed Jun 3 15:12:32 EDT 2009


Redhat/Debian/Ubuntu/Slack?  Which?

On Wed, Jun 3, 2009 at 2:33 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com> wrote:

> Just like that.
>
>
> On Wed, Jun 3, 2009 at 2:20 PM, Jerald Sheets <questy at gmail.com> wrote:
>
>> What does your /etc/nsswitch.conf look like for passwd/shadow/group?
>>
>> passwd:     files ldap
>> shadow:     files ldap
>> group:      files ldap
>>
>>
>> --j
>>
>>
>> On Wed, Jun 3, 2009 at 1:45 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>>
>>> That makes it worse.  See log output with it both ways at
>>> http://pastebin.com/m5fca56.
>>>
>>> With the pam_ldap line where it was, I'm at least able to get "(Invalid
>>> credentials)" returned from pam_ldap;when moved up above the pam_unix line,
>>> pam_ldap never makes a response.
>>>
>>>
>>>
>>> http://pastebin.com/m5fca56
>>>
>>>
>>> On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <jim.kinney at gmail.com>wrote:
>>>
>>>> move the pam_ladp line up one. The line above it will always capture
>>>> an event and the ldap line is never called. pam is a sequential
>>>> process down the chain.
>>>>
>>>> In fact, if you want to tighten the security, put the pam_deny line
>>>> before any "sufficient" lines in auth.
>>>>
>>>> On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com>
>>>> wrote:
>>>> > Jerald -
>>>> >
>>>> > That line is in there...in fact, let me paste the whole system-auth
>>>> file:
>>>> >
>>>> > #%PAM-1.0
>>>> >
>>>> > auth            required        pam_env.so
>>>> > auth            sufficient      pam_unix.so try_first_pass likeauth
>>>> nullok
>>>> > auth            sufficient      pam_ldap.so use_first_pass
>>>> > auth            required        pam_deny.so
>>>> >
>>>> > account         required        pam_unix.so
>>>> > account         sufficient      pam_ldap.so
>>>> >
>>>> > password        required        pam_cracklib.so difok=2 minlen=8
>>>> dcredit=2
>>>> > ocredit=2 try_first_pass retry=3
>>>> > password        sufficient      pam_unix.so try_first_pass nullok md5
>>>> shadow
>>>> > use_authtok
>>>> > password        sufficient      pam_ldap.so use_authtok
>>>> > password        required        pam_deny.so
>>>> >
>>>> > session         required        pam_limits.so
>>>> > session         required        pam_unix.so
>>>> > session         optional        pam_ldap.so
>>>> >
>>>> >
>>>> >>
>>>> >>
>>>> >> Also, to let pam know about ldap, look for a line like so:
>>>> >>
>>>> >> auth        sufficient    pam_ldap.so use_first_pass
>>>> >>
>>>> >> in /etc/pam.d/system-auth
>>>> >>
>>>> >> Also, if you want to have home directories automagically made for
>>>> >> first-time logins, you need:
>>>> >>
>>>> >> session     required      pam_mkhomedir.so
>>>> >
>>>> > Cool trick - dunno if I'll use that now but it's good to know.
>>>> >
>>>> > Thanks,
>>>> > Jeff
>>>> >
>>>> > _______________________________________________
>>>> > Ale mailing list
>>>> > Ale at ale.org
>>>> > http://mail.ale.org/mailman/listinfo/ale
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> --
>>>> James P. Kinney III
>>>> Actively in pursuit of Life, Liberty and Happiness
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>>
>>>
>>
>>
>> --
>> ---
>> Jerald M. Sheets jr.
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>


-- 
---
Jerald M. Sheets jr.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090603/08ee8b76/attachment.html 


More information about the Ale mailing list