[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + PAM, authentication of users in certain group



On Friday 29 August 2008 11:31:32 Peter V wrote:
> Hi,
>
> I have got users and groups in LDAP and I use it for authentication from
> several servers. I need users to be able to log into the servers only if
> they are in "admin" group.
>
> I use pam_ldap.so module for the authentication.
>
> I added these lines into /etc/pam_ldap.conf
> pam_groupdn cn=admins,ou=Groups,dc=domain,dc=com
> pam_member_attribute memberUid
>
> And the following line into /etc/pam.d/ssh:
> account required      pam_ldap.so
>
> Basically, this works alright, BUT I have got root account in local databse
> /etc/passwd and I need root to be able to log in even if he is not in the
> "admin" group and also if the LDAP server is off. This does not work,
> because with this setting, the PAM module requires also root to be in the
> "admin" group and when the LDAP server is off, there is no admin group.
>
> Does anyone know how to set this up?

This is a PAM question, not an LDAP question, but the answer is something 
along the lines of:

account sufficient pam_localuser.so
account sufficient pam_ldap.so
account required pam_deny.so

Regards,
Buchan