[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: trouble configuring pam using pam_ldap and pam_mount

Am Samstag, 28. Juli 2007 21:30 schrieb Heiko Harders:
> Hi,
> I'm trying to configure PAM for my needs all day now, but I can't get it
> right.
> I have an LDAP server which contains the user login information for my
> users. This server also serves the home directory's using NFS.
> On my clients I use pam_ldap to authenticate and I use pam_mount to
> mount the home directorys whenever a users logs on. This works fine. The
> problem is, whenever a local user on the client logs on, pam_mount trys
> to mount a home directory from the server. In my pam configuration I
> would like to specify that pam_mount shouldn't be executed whenever a
> local user logs on. But I can't figure out how. 

What about uid's. Normally the local user uid's occupy a different range, say 
e.g. 0 - 1000 and the ldap uid's are above that range. I don't no if 
pam_mount can distinguish this, but pam_cifs can do that. You only have to 
export your users homes via samba (using ldap as well). Don't forget to mount 
the cifs-shares with option serverino, otherwise you will have problems with 
kde-files in users home-dirs.

> I use the default files 
> in my '/etc/pam.d/' directory and I've modified the 'common-*' files in
> the following way:
> common-account:
> account    sufficient  pam_ldap.so
> account    required    pam_unix.so
> common-auth:
> auth    required    pam_mount.so
> auth    sufficient  pam_ldap.so use_first_pass
> auth    sufficient  pam_unix.so nullok_secure use_first_pass
> common-password:
> password   sufficient pam_ldap.so
> password   required   pam_unix.so nullok obscure min=4 max=8 md5
> common-session:
> session optional        pam_foreground.so
> ## I think I should add something overhere
> session required        pam_mount.so
> session sufficient      pam_ldap.so
> session required        pam_unix.so
> I've tried to add a line in the common-session file, something like this:
> session   [user_unknown=2 default=ignore] pam_ldap.so
> Hoping this would skip the next 2 lines if the user wasn't found on the
> ldap server. But this doens't seem to work. The following line did work,
> but doens't do what I want:
> session [default=2] pam_ldap.so
> In this case ALL users skip the next two lines.
> Has anyone a clue what I'm doing wrong? Is there something wrong in my
> syntax? Or is the complexe approach wrong?
> Greetings,
> Heiko
> _______________________________________________
> Pam-list mailing list
> Pam-list redhat com
> https://www.redhat.com/mailman/listinfo/pam-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]