[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldap user authentication, PAM and chsh (change shell): how to make it work?
Hi,
Please, bear with me! I know that this is not an openldap question per se, but
I've been banging my head on the wall for a long time on this issue and maybe
someone knows the quick answer: with user authentication coming from LDAP, what
is the magic that has to inserted with the PAM stuff on a client to allow users
to change their login shells using 'chsh'? I've been googling this for hours to
no avail. I nice hint would just suffice.
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I managed to make the 'passwd' command to work using the libnss-ldap
configuration 'pam_password exop' directive but I'm clueless with chsh...
Right now I'm getting messages
chsh: user 'luser' does not exist in /etc/passwd
and the system auth logs tells me:
chsh[4638]: pam_unix(chsh:auth): authentication failure; logname=luser uid=1137 euid=0 tty= ruser= rhost= user=luser
/etc/pam.d/chsh originally contained, once the @include included:
auth required pam_shells.so
auth sufficient pam_rootok.so
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
I tried to trim it down -- removing the account and session entries but to no
avail so far...
thanks,
jf