[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Passwords in OpenLDAP - another question


Jadick, Joe a écrit:


I apologize for not getting back to you sooner but I was on vacation; then working on other stuff.

Most of what I have read seems to indicate that you add an entry like this to the /etc/pam.d/sshd file:

auth sufficient /lib/security/pam_ldap.so

in front of the default entry:

auth required /lib/security/pam_unix.so shadow nullok use_first_pass

Also, it looks like you make a similar change to the account entry.

However, my /etc/pam.d/sshd file (RedHat 8.0) looks like this:

[root@anadts41 pam.d]# cat sshd
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
[root@anadts41 pam.d]#

I haven't been able to find a definition of what pam_stack.so is (in the Linux-PAM System Administrators' Guide, for example) so I don't know if this is correct or not.

pam_stack.so work as an include directive, so library defined in "/etc/pam.d/system_auth file are stacked in place where "pam_stack.so" is.

BEWARE: several (all??) pam.d/<files> use stack_pam.so and by the way open authention with LDAP for these services.

Samples (RedHat)
Suppose the system_auth file content is:

## File /etc/pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_localuser.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password sufficient /lib/security//pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

and also ## File /etc/pam.d/su #%PAM-1.0 auth sufficient /lib/security/$ISA/pam_rootok.so auth required /lib/security/$ISA/pam_stack.so service=system-auth account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth session required /lib/security/$ISA/pam_stack.so service=system-auth session optional /lib/security/$ISA/pam_xauth.so

Thanx for any assistance anyone can provide a PAM/LDAP newbee (in case that wasn't evident from my question!).


-----Original Message----- From: Brent Kearney [mailto:brent@kearneys.ca] Sent: Tuesday, June 24, 2003 2:51 PM To: Jadick, Joe Cc: openldap-software@OpenLDAP.org Subject: Re: Passwords in OpenLDAP - another question

On Tue, Jun 24, 2003 at 02:11:03PM -0700, Jadick, Joe wrote:
> Hi,
> I have a follow-up question to the original thread.
> My environment is Red Hat Linux, 8.0 with OpenLDAP 2.1.17.
> I added a user via useradd; migrated him to LDAP using the migration tools;
> and then deleted him via userdel.
> I find that I can su to this account from another one and, after providing
> the password, everything works OK.
> Also, the getent and ldapsearch displays seem to be correct (both when the
> user was in LDAP and files and after I deleted him from files).
> However, when I try to log into the account directly using SSH it won't
> accept the password.
> Any ideas what I'm doing wrong?

Have you modified the /etc/pam.d/* files appropriately (specifically,
the one for ssh)?


-- http://oss.netmojo.ca/


This message contains confidential information intended only for the use of the addressee(s)

named above and may contain information that is legally privileged. If you are not the

addressee, or the person responsible for delivering it to the addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is strictly prohibited.

If you have received this message by mistake, please immediately notify us by replying to the

message and delete the original message immediately thereafter.

Thank you. FADLD Tag