[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using LDAP for authentication question



It's great that you found out what was missing and how to build it out manually, commendable and rare indeed! However, this is not "/etc/pam.d/authconfig". This is "/etc/pam.d/system-auth", a misnomer we don't want to pass along to others in your shoes who may read this in the archives. Also, as was suggested elsewhere, you *must* have nss_ldap installed if you want to use LDAP for authentication. It's the package that actually provides pam_ldap.so, and if you make the tragic mistake of leaving a typo in a PAM file, NOBODY will be able to login. Not you, not root, not without booting to a rescue medium to fix the typo by hand. Do *NOT* play games with your system-auth PAM file. Play with your ftp PAM file if you want to learn. Not system-auth!

Finally, actually running the authconfig command provides a number of other tweaks and failsaving conditions in your system-auth file. Unless you know your PAM backward and forward, which I would wholeheartedly recommend you take as your next reading assignment <grin>, I'd say you should start with authconfig. The only disadvantage to using authconfig is that it pretty much outputs a standardized system-auth file, deleting any customizations you may have made to the previous version of the file. Other than that, it's very safe and very predictable.

-j


Jason Williams wrote:

Alan,

Thanks...I just came across a web link that was describing this. It was quite a good link actually.
Anyway, here is output from my authconfig file (in /etc/pam.d/ directory, on RH 7.3)


auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so


session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

I realize what I need to add:

#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so


account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so


password required /lib/security/pam_cracklib.so retry=3 minlen=4 \
dcredit=0 ucredit=0
password sufficient /lib/security/pam_unix.so nullok use_authtok \
md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so


session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so



I verified I have /lib/security/pam_ldap.so and I do.

So here is my question: From what I remember, you can use authconfig utility to change the setting, correct?
But, you can also add in the correct lines into the file directly, if you feel comfortable, correct?


Ok..lets say that I do that...now is there anything else I need to do? Restart any services, edit config files etc.
Secondly, I have a root account that is local (default install) and a root account that is in the LDAP accounts tree that is used to add my users to the domain.
Will that pose a problem? Or will I just use the root account and password in LDAP?


Lastly, if something goes wrong (and I hope it doesnt) whats the quickest, fastest and easiest way to recover it?

I appreciate your help.

Jason

At 06:02 PM 8/14/2003 -0600, you wrote:

Jason Williams said:
> Can anyone lead me in the direction of what I will need to do to setup
> the  box so I can use my account that is in LDAP, and allow me to SSH to
> the  box? I dont want to create an additional user account on the
> server, but  instead use the account that I have in LDAP.

Consider installing the nss_ldap package and running /usr/sbin/authconfig
to set up LDAP authentication.
-Alan

===========
Alan Sparks, UNIX/Linux Systems Administrator <asparks@doublesparks.net>