[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: ldap Documentation

From: Alain RICHARD <alain richard equation fr>
To: enigma-list redhat com
Subject: Re: ldap Documentation
Date: Thu, 24 Jan 2002 19:04:35 +0100

You are right, authconfig does a better job if you click the right items !
!!

In my case, and probably for many other users, I have to manually edit the result to incorporate the changes shown with +/- :

[root julie pam.d]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
+account     sufficient    /lib/security/pam_localuser.so
+account     required      /lib/security/pam_access.so
account     required      /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
-session     optional      /lib/security/pam_ldap.so
+session     optional      /lib/security/pam_mkhomedir.so
[root julie pam.d]#

the pam_mkhomedir is a personal need, but the lines with pam_localuser and pam_access enables to apply some restrictions in /etc/security/access.conf to ldap accounts only and this may be of some help.

An other thing I am currently investigating is to replace all or some pam_unix with pam_pwdb. This is because pam_unix relies on libc libraries that relies on the nsswitch.conf and nsswitch is configured to lookup ldap for passwd, shadow and group. So the ldap server is looked up twice with that setup, once by the pam_unix module (that fails for auth because on a correctly setup ldap server, the password is not readable) and then by ldap.

An other bad thing with authconfig is (as explained in the system-auth file) that it erases completly system-auth. A warning and a backup of the previous system-auth may be a good idea to solve this issue.

Regards,

Le jeudi 24 janvier 2002, à 04:19 , Nalin Dahyabhai a écrit :

On Thu, Jan 24, 2002 at 11:29:12AM +0100, Alain RICHARD wrote:

authconfig does not setup correctly the /etc/pam.d/system-auth file (it
relies in fact on ldap password freely accessible through the nss_ldap
module and do not uses the pam_ldap module).


There are two pages in the tool, the first lets you enable nss_ldap,
and the second lets you enable pam_ldap.

Nalin

_______________________________________________
enigma-list mailing list
enigma-list redhat com
https://listman.redhat.com/mailman/listinfo/enigma-list

----------------------------------------------------------
Alain RICHARD <mailto:alain richard equation fr>
EQUATION SA <http://www.equation.fr/>
Phone : +33 477 79 48 00   Fax : +33 477 79 48 01
client/serveur applications, network and linux engineering

References:
- Re: ldap Documentation
  - From: Nalin Dahyabhai

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]