[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM + LDAP auth without local accounts ?



In our environment we've had success with Netware 6.0.2 and RedHat 8.0 using TLS, LDAP and no local user accounts on the linux workstations. From the looks of your config you may want to try pam_password md5 rather than crypt. We've published a document that may be helpful to you at: http://www.novell.com/coolsolutions/nds/features/a_linux_auth_ldap_edir.html. 

We also found that using the Account Mgmt. 2.1 snapins to ConsoleOne was an easy way to edit attributes on the posixAccount and posixGroup schema however, there other ways to do this a la LDIF. Another individual found another solution/addition by mapping LDAP classes to NDS classes at:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f66de42.8929781%40support-forums.novell.com&rnum=7

I like the work you've done with PAM mount module, we'll have to try that in house.

Jeffrey Brown
UNIX/Linux SA
Jefferson County, Colorado USA

>>> yann forget etat ge ch 3/12/2004 6:24:21 AM >>>
Hi,

I have Linux stations using Novell NDS / eDirectory for authentification.
Works fine so far if I have local accounts in /etc/passwd (password
desactivited in /etc/shadow).
What is the necessary config for logging *without* a local account in
/etc/passwd?

I also use pam_mount and it works fine.

/etc/nsswitch.conf

passwd:	ldap files
shadow:	ldap files
group:	ldap files

============================
/etc/security/pam_mount.conf

debug 1
mkmountpoint 1
lsof /usr/bin/lsof

options_require	nosuid,nodev

luserconf .pam_mount.conf

smbmount /bin/mount -t smbfs
ncpmount /bin/mount -t ncpfs
umount   /bin/umount
lclmount /bin/mount -p0

volume * ncp novell_name_of_server usr/cti/& /home/&
ipserver=unix_name_of_server,user=&.novell_context,uid=&,gid=users - - 
============================

/etc/ldap.conf

host	mialplacidus
base	ou=cti,ou=aca82,ou=d,o=nhp
ldap_version	3

port 636
pam_password	crypt
sslpath /etc/ssl/certs/cert7.db

nss_base_passwd	<context>
nss_base_shadow	<context>
nss_base_group	<context>
ssl on

tls_cacertdir /etc/ssl/certs
===========================

/etc/security/pam_unix2.conf

auth:	use_ldap nullok
account:	use_ldap
password:	use_ldap nullok
session:	none
===========================

/etc/pam.d/login

#%PAM-1.0
auth   	requisite	pam_unix2.so		nullok
auth	 	required	pam_securetty.so
auth   	required    pam_nologin.so
#auth	 	required	pam_homecheck.so
auth   	required    pam_env.so
auth	 	required	pam_mail.so
account  	required    pam_unix2.so
password 	required	pam_pwcheck.so		nullok
password 	required    pam_unix2.so		nullok
use_first_pass use_authtok
session  	required    pam_unix2.so		none # debug or
trace
session  	required    pam_limits.so

session   	required  	pam_mount.so use_first_pass
auth      	required  	pam_mount.so use_first_pass
===========================


Thanks,
Yann

--
OSS consultant
Centre des Technologies de l'Information
Etat de Genève
82 rue des Acacias
1227 Carouge (GE)
Tél. +41-22-325 11 62


_______________________________________________
Pam-list mailing list
Pam-list redhat com 
https://www.redhat.com/mailman/listinfo/pam-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]