[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie with PAM_LDAP (authentication on linux) and OPENLDAP



*This message was transferred with a trial version of CommuniGate(tm) Pro*
Hi Phillippe,

The best solution is to use NSSwitch....

Hier is my configuration under SuSE :

# ldap.conf
# please restart the name cache daemon after editing this file

# LDAP Server
host    localhost
base    dc=xxxxxx,dc=com
ldap_version    3
scope   sub

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# The credentials to bind with.
# Optional: default is no credential.
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn     cn=YOURDN,dc=xxxxxx,dc=com

# NSS SWITCH (siehe /etc/nss_switch.conf)
# passwd: files ldap
# group:  files ldap
# shadow: files ldap
#
# hosts:  files dns ldap
nss_base_passwd ou=Users,dc=xxxxxx,dc=com?sub
nss_base_shadow ou=Users,dc=xxxxxx,dc=com?sub
nss_base_group  ou=Groups,dc=xxxxxx,dc=com?sub
nss_base_hosts  ou=Computers,dc=xxxxxx,dc=com?sub

# SSL Stuff

#ssl    no
#ssl    start_tls
#tls_cacert      /etc/openldap/cacert.pem

# PAM Stuff
pam_filter      objectclass=posixAccount
pam_login_attribute     uid
pam_member_attribute    memberUid
#pam_crypt      local
pam_password    ssha  #you can use md5 too

If I try the authentication with SSH, I have to set PAM in sshd :

#%PAM-1.0
auth required   pam_unix2.so # set_secrpc
auth required   pam_nologin.so
auth required   pam_env.so
account required        pam_unix2.so
account required        pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session required        pam_unix2.so    none     # trace or debug
session required        pam_limits.so
session required        pam_mkhomedir.so        umask=0022

The pam_unix2.so is a new module using nss_switch.conf !
If you do not have it, try with :
auth pam_ldap.so sufficient
account pam_ldap.so sufficient

Hope it helps you !

frederic