[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam services under LDAP

To: bluethundr <bluethundr@gmail.com>
Subject: Re: pam services under LDAP
From: Indexer <indexer@internode.on.net>
Date: Tue, 9 Nov 2010 09:37:27 +1030
Cc: openldap-technical@openldap.org
In-reply-to: <AANLkTim_4mj11NJN7TazXx+n8i0dUC+h+2ifHoVU+4Dy@mail.gmail.com>
References: <AANLkTikwHJ+sX4uq9_t2zR600Fi+Use-vB4QXWcuAEw8@mail.gmail.com> <alpine.SOC.2.00.1011081629210.18772@toolbox.rutgers.edu> <AANLkTim_4mj11NJN7TazXx+n8i0dUC+h+2ifHoVU+4Dy@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 09/11/2010, at 09:16, bluethundr wrote:

> I have created a symlink from /etc/openldap/ldap.conf to
> /etc/ldap.conf... that seems to have gotten the majority of the system
> communicating with PAM/LDAP. I guess that making a .ldaprc file in the
> users home directory and putting those directives in there would be
> about the equivalent.
> 
> The only thing eluding me currently is getting the client to listen to
> sudoers which is currently working thru ldap on the ldap server
> itself.
> 
> [root@VIRCENT03:~]#cat /etc/pam.d/sudo
> #%PAM-1.0
> auth       include      system-auth
> auth       required     pam_ldap.so
> account    include      system-auth
> account    required     pam_ldap.so
> password   include      system-auth
> password   required     pam_ldap.so
> session    optional     pam_keyinit.so revoke
> session    required     pam_limits.so
> session    required     pam_ldap.so
> 
> 
> AFAIK the above should get pam_ldap communicating with the LDAP server
> on the behalf of sudoers. the other pam configs (such as sshd and su)
> appear to be getting their info from the system auth which is
> currently communicating with the LDAP server.
> 
> Does anyone have any tips on how to get sudoers working through pam /ldap?
> 
> thanks!!
> 
> 

I have had a similar issue on my OpenLDAP setup. I have a posixgroup in ldap, into which i placed a list of users for sudo access, and it never works. both full dn, and just the uid or id number of the user in the posixgroup dont work.

Sudo supports some LDAP based configuration from what i understand, but i think that is different to what you are trying to achieve in this case.


> 
> -- 
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
> 
> Share and enjoy!!

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQIcBAEBAgAGBQJM2IKzAAoJEHF16AnLoz6JvvEP+gOWynCljQRkU477KEsLk5UX
PgpNNXEUS8tMa2FId6b9hJPV0CCfiUgaKZGjRtqijvpbeZZ0lO0avTrzcyGfT8l7
xT6oS+ZuqGHkTxGAOgnb3rOZEqI4R6g4kW+mzwYvuLlInS9VVNGh1WoQ04Iv3S9O
4GSHZBg/b14vzbFU8pFNym4k9MipvgMZwazo1G3Rf7K4fuXJFzQDiRwCO3+J5Dtd
fn7euFoZjwczzrevY1T1M47FQeQ2NYUqHNhlOh6+9qeBF0sjRpMTnfzF2GtpFnXL
pdOOKy1KLf6ZbUk8Z8fFMVLxhD6qNXWZ2d3DiaWQKf+dPEy7Ee5/vrnEqP+aMpqd
PBKgrQVs/cVAxjRAoQal3Sdbjl514cNMATCWQDR9/A/gzk25YdosKVajity+Ausc
bGfElu2oywEigu7Lv/Fe6gKHx+isUHLn/qae7ecQISFpkmb/79QZffawmxtdjpYq
TJkZBzo9BZVezHfz3/eRZ5n+ESm15uNArb4HbO0TQzPkf+E9jykitH2C7vwae2y/
1nweWWCGZoRzdgecNoaj3xuaRDyeGTt+0WF9bsU0gkILlAaHvKhjVU4gh/eeJ/bI
qAlMhojud6T6SWrcaolJ2HLwQwtDNgYqGerG0YqvIAvXL7Kb7uXZ2S+Aj02+K5K2
mJp2S0LdqA3qLzA7Sl9k
=ibXp
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: pam services under LDAP
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- pam services under LDAP
  - From: bluethundr <bluethundr@gmail.com>
- Re: pam services under LDAP
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: pam services under LDAP
  - From: bluethundr <bluethundr@gmail.com>

Prev by Date: RE: pam services under LDAP
Next by Date: Re: Asynchronicity
Index(es):
- Chronological
- Thread