ldap authorization

Troy Knabe knabe at 4j.lane.edu
Wed Oct 10 22:26:48 UTC 2007 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Esquivel, Vicente wrote:
> What does your pam system-auth look like for the account statements?
> 
> 
> 
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com 
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Troy Knabe
>> Sent: Wednesday, October 10, 2007 4:40 PM
>> To: General Red Hat Linux discussion list
>> Subject: Re: ldap authorization
>>
>> # Group to enforce membership of
>> pam_groupdn cn=troy_test,ou=Groups,dc=company,dc=com ## Yes, 
>> I replaced this with my basedn)
>>
>> # Group member attribute
>> pam_member_attribute uniquemember
>>
>>
>> I am the only member of the group, and uniqueMember is the attribute.
>>
>> -Troy
>>
>> Esquivel, Vicente wrote:
>>> For me I only had to make sure that the correct 
>> pam_member_attribute 
>>> was set inside the ldap.conf file.
>>>
>>> Vince
>>>
>>>> -----Original Message-----
>>>> From: redhat-list-bounces at redhat.com 
>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Troy Knabe
>>>> Sent: Wednesday, October 10, 2007 4:35 PM
>>>> To: General Red Hat Linux discussion list
>>>> Subject: RE: ldap authorization
>>>>
>>>> So I have done this and restarted nscd and even rebooted, 
>> but still 
>>>> everyone with an account can access the server.  What I am 
>> I missing?
>>>> -Troy
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: redhat-list-bounces at redhat.com 
>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of mups.cp
>>>> Sent: Wednesday, October 10, 2007 12:40 PM
>>>> To: General Red Hat Linux discussion list
>>>> Subject: Re: ldap authorization
>>>>
>>>> First create a groupOfUniqueNames objectClass in your ldap and set 
>>>> uniqueMember with the full dn for those users that should 
>> be allowed 
>>>> access.
>>>> In /etc/ldap.conf
>>>> pam_groupdn cn=unixusers,ou=Groups,dc=domain,dc=com
>>>> Where unixusers is the group with the groupOfUniqueNames 
>> objectClass 
>>>> you defined before.
>>>>
>>>>
>>>> On 10/10/07, Esquivel, Vicente <Esquivelv at uhd.edu> wrote:
>>>>> I have much interest on how to get pam_groupdn to work
>>>> because I have
>>>>> been battling with it for a few days now with not hope in sight.
>>>>>
>>>>> Vince
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: redhat-list-bounces at redhat.com 
>>>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of mups.cp
>>>>>> Sent: Wednesday, October 10, 2007 2:30 PM
>>>>>> To: General Red Hat Linux discussion list
>>>>>> Subject: Re: ldap authorization
>>>>>>
>>>>>> You coud use the pam_groupdn option.
>>>>>>
>>>>>> On 10/10/07, Troy Knabe <knabe at 4j.lane.edu> wrote:
>>>>>>> I am using Kerberos for authentication and ldap for
>>>>>> authorization.  But I want to limit the ldap users who
>>>> can login to
>>>>>> the server to a specific group.
>>>>>>>
>>>>>>> Anyone have any perls of wisdom on what needs to be added
>>>>>> to the ldap.conf???
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> -Troy
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> redhat-list mailing list
>>>>>>> unsubscribe
>>>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>>
>>>>>> --
>>>>>> redhat-list mailing list
>>>>>> unsubscribe
>>>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>
>>>>> --
>>>>> redhat-list mailing list
>>>>> unsubscribe
>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>
>>>> --
>>>> redhat-list mailing list
>>>> unsubscribe 
>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>
>>>> --
>>>> redhat-list mailing list
>>>> unsubscribe 
>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>

More information about the redhat-list mailing list