[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam services under LDAP

To: openldap-technical@openldap.org
Subject: Re: pam services under LDAP
From: bluethundr <bluethundr@gmail.com>
Date: Mon, 8 Nov 2010 17:46:21 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=uduY8E5wMdvPGlHcHHuOgTmsNnyfTuj9Pqg8p3RQnbY=; b=u6Olqq9sJ9vgHtUrbqmxM/mCPvyonXFLnGMLPFM4XBRztPFMcdbFVmr0AnMQ5kZHT5 TlUmM0orR1Hus/WvMAwrkmpzrcQJJgQAZ76iVGO0nX8JlD3IEyBlPEW57ioJumohi+r5 MtbxWyIJF53NohaD27yNphuP5UYjBfj2JGQ9g=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=mat+4FrqLN4+IQZPLT+lyeDNvjZjVWp0GnqDKH2nT2yhPmOgOh12GtiPWgLi3QoW5r Ah5Zsg92PB7bWwO7Se5zP5RJIcRoN8Gp2MzcghbZs45wMj5aWpMPEHHQ6nzKVFvlkUCU akR/2bAqbGp00CibzbpEnuqlXYpJ6+lkTr/wk=
In-reply-to: <alpine.SOC.2.00.1011081629210.18772@toolbox.rutgers.edu>
References: <AANLkTikwHJ+sX4uq9_t2zR600Fi+Use-vB4QXWcuAEw8@mail.gmail.com> <alpine.SOC.2.00.1011081629210.18772@toolbox.rutgers.edu>

I have created a symlink from /etc/openldap/ldap.conf to
/etc/ldap.conf... that seems to have gotten the majority of the system
communicating with PAM/LDAP. I guess that making a .ldaprc file in the
users home directory and putting those directives in there would be
about the equivalent.

The only thing eluding me currently is getting the client to listen to
sudoers which is currently working thru ldap on the ldap server
itself.

 [root@VIRCENT03:~]#cat /etc/pam.d/sudo
#%PAM-1.0
auth       include      system-auth
auth       required     pam_ldap.so
account    include      system-auth
account    required     pam_ldap.so
password   include      system-auth
password   required     pam_ldap.so
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    required     pam_ldap.so

AFAIK the above should get pam_ldap communicating with the LDAP server
on the behalf of sudoers. the other pam configs (such as sshd and su)
appear to be getting their info from the system auth which is
currently communicating with the LDAP server.

Does anyone have any tips on how to get sudoers working through pam /ldap?

thanks!!

On Mon, Nov 8, 2010 at 4:29 PM, Aaron Richton <richton@nbcs.rutgers.edu> wrote:
> On Mon, 8 Nov 2010, bluethundr wrote:
>
>> [root@VIRCENT03:~]#cat /etc/openldap/ldap.conf
>
> [...]
>>
>> TLS_CACERTDIR /etc/openldap/cacerts
>> sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net
>
> I don't believe that "sudoers_base" is a recognized OpenLDAP configuration
> directive. As such, this line may belong in a file other than
> "/etc/openldap/ldap.conf" on your system.
>
>

-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!

Follow-Ups:
- RE: pam services under LDAP
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: pam services under LDAP
  - From: Indexer <indexer@internode.on.net>
- Re: pam services under LDAP
  - From: Prentice Bisbal <prentice@ias.edu>

References:
- pam services under LDAP
  - From: bluethundr <bluethundr@gmail.com>
- Re: pam services under LDAP
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: pam services under LDAP
Next by Date: RE: pam services under LDAP
Index(es):
- Chronological
- Thread