[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to change the login look up order with LDAP?

To: Tony Earnshaw <tonni@billy.demon.nl>
Subject: Re: How to change the login look up order with LDAP?
From: Jehan PROCACCIA <Jehan.Procaccia@int-evry.fr>
Date: Mon, 03 Feb 2003 09:48:04 +0100
Cc: julien Touche <julien.touche@lycos.com>, Shi Jin <jinzishuai@yahoo.com>, software openldap <openldap-software@OpenLDAP.org>
References: <20030202190849.91303.qmail@web14912.mail.yahoo.com> <1044216687.26213.87.camel@localhost> <3E3D909C.9070302@lycos.com> <1044255068.32234.8.camel@localhost>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Tony Earnshaw wrote:

søn, 2003-02-02 kl. 22:41 skrev julien Touche:
In fact, it's a redhat "problem". when you configure auth with the redhat "setup" tool, it manages to change only ONE file. that's why auth is resturned by service=system-auth, which is used in all other pam files.
<snip>
and by default, an ldap-configured auth is not reporting to files ... ask redhat why ...
Hmmm ... thanks. I should have known. In fact, no mention was made of
the distro in the original poster's question.
Yesterday RH sent me an automated "you're going to get struck off our
update notification list unless you start using up2date and red carpet
and let us take over your machine from afar."
No way, Red Hat.
Best,
Tony

For me default RedHat (7.3 and 8.0) works fine as long as ldap server is available. If not, I had to add pam_localuser module, and in order to make my /etc/ldap.conf pam_filter works I had to remove "user_unknown=ignore" in system-auth account service.

So here's a functionning config:

$cat /etc/pam.d/login
#%PAM-1.0
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so

$cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass #auth [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so #account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so account sufficient /lib/security/pam_localuser.so account [default=bad success=ok service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

Follow-Ups:
- run Ldap?
  - From: "Cristian Tudose" <cristi@technova.ro>
- Re: How to change the login look up order with LDAP?
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- Re: How to change the login look up order with LDAP?
  - From: Shi Jin <jinzishuai@yahoo.com>
- Re: How to change the login look up order with LDAP?
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: How to change the login look up order with LDAP?
  - From: julien Touche <julien.touche@lycos.com>
- Re: How to change the login look up order with LDAP?
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: Troble adding jpegPhoto attribute
Next by Date: run Ldap?
Index(es):
- Chronological
- Thread