/etc/pam.d/su with ldap

Anthony admin.cluster at gmail.com
Tue May 30 08:58:40 UTC 2006 

Doug Weimer wrote:

>On Mon, 29 May 2006, Anthony wrote:
>
>  
>
>>Hi, i have modified my /etc/su file so that it integrates Ldap,
>>
>>i got a small problem, whenever the root user do a
>>$su - username1
>>password:
>>
>>it asks me a passwor, i hit 'enter' then i get the prompt;
>>
>>what is wrong with my su confg file ?
>>
>>    
>>
><snip>
>  
>
>># cat /etc/pam.d/su
>>#%PAM-1.0
>>#pam_ldap Added by me
>>auth       sufficient   pam_ldap.so
>>account    sufficient   pam_ldap.so
>>password   sufficient   pam_ldap.so
>>
>>auth       sufficient   /lib/security/$ISA/pam_rootok.so
>>    
>>
>
>I believe that pam starts at the top of a configuration file and then runs 
>each applicable module in the order it is listed. With this configuration
>the first 'auth' entry is pam_ldap.so and this module will prompt for a
>password. By hitting enter at the prompt, this auth check will fail. Upon
>failure, pam will then go to the pam_rootok.so module which will succeed
>and allow root to su.
>
>Have you tried putting the pam_rootok.so line first?
>
>Thanks,
>
>Doug
>
>--
>redhat-sysadmin-list mailing list
>redhat-sysadmin-list at redhat.com
>https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
>
>  
>
Ok it worked, but i have now a different problem:
when i pass from a ldap account to the root account, by typing su-
it gives twice the Password prompt: i can type anything at the first 
prompt, then the real password at the second prompt...

my new /etc/pam.d/su file looks like this:
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
#pam_ldap Added by me
auth       sufficient   pam_ldap.so
account    sufficient   pam_ldap.so
password   sufficient   pam_ldap.so

# Uncomment the following line to implicitly trust users in the "wheel" 
group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so 
service=system-auth try_first_pass
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     /lib/security/$ISA/pam_selinux.so open multiple
session    optional     /lib/security/$ISA/pam_xauth.so

More information about the redhat-sysadmin-list mailing list