[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to change the login look up order with LDAP?

Tony Earnshaw wrote:
søn, 2003-02-02 kl. 22:41 skrev julien Touche:

In fact, it's a redhat "problem".
when you configure auth with the redhat "setup" tool, it manages to change only ONE file. that's why auth is resturned by service=system-auth, which is used in all other pam files.


and by default, an ldap-configured auth is not reporting to files ... ask redhat why ...

Hmmm ... thanks. I should have known. In fact, no mention was made of
the distro in the original poster's question.

Yesterday RH sent me an automated "you're going to get struck off our
update notification list unless you start using up2date and red carpet
and let us take over your machine from afar."

No way, Red Hat.



For me default RedHat (7.3 and 8.0) works fine as long as ldap server is available. If not, I had to add pam_localuser module, and in order to make my /etc/ldap.conf pam_filter works I had to remove "user_unknown=ignore" in system-auth account service.

So here's a functionning config:

$cat /etc/pam.d/login
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so

$cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
#auth [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
#account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
account sufficient /lib/security/pam_localuser.so
account [default=bad success=ok service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so