Re: pam_ldap and login

[Mike Brodbelt <m.brodbelt@acu.ac.uk>]

Johnny Casey wrote:

> 
> You are missing "use_authtok".

My copy of the pam docs mentions use_authtok, but not what it actually
does. This situation seems to be repeated at:-

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/

What does this flag mean? Is there any complete documentation availabe
for PAM. An awful lot of postings about it seem to indicate that most
people get by with trial and error due to lack of any docs.

> About the above, I would probably have pam_unix before pam_ldap.  What 
> order you have the two (pam_ldap and pam_unix) should be the same for 
> account/auth/password.
> 
> It might also be good to specify which Linux distribution and what 
> version you are using next time...

Debian Woody.

I've now got this in /etc/pam.d/passwd:-

auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_ldap.so

password   sufficient   pam_unix.so nullok use_authtok obscure min=4
max=8 md5 shadow
password   sufficient   pam_ldap.so use_authtok
password   required     pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

Which doesn't work for users or root, so at least I've got consistency....

People have also suggested pam_localuser.so, but debian doesn't ship
with it, and there doesn't appear to be any obvious source to get it. I
could pick up a binary from an RPM. but I want a maintainable system...

Mike.