[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: trouble configuring pam using pam_ldap and pam_mount



Wilhelm Meier wrote:
Am Samstag, 28. Juli 2007 21:30 schrieb Heiko Harders:
<snip>
What about uid's. Normally the local user uid's occupy a different range, say e.g. 0 - 1000 and the ldap uid's are above that range. I don't no if pam_mount can distinguish this, but pam_cifs can do that.
I tried working with uid's and gid's (but did it a little different then what you told), this is the configuration I used, my local users have id's below 2000 and my ldap users have id's above 2000:

session    optional    pam_foreground.so
session    [default=2 success=ignore]    pam_succeed_if.so quiet uid > 2000
session    required    pam_mount.so
session    sufficient    pam_ldap.so
session    required    pam_unix.so

But this also doens't work... I got this example literally from the online documentation (example on the bottom of this page: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_succeed_if.html). But with whatever uid I logon (tried su and tried gdm) it always does the default thing, so it skips lines 3 and 4. I checked the user id's of the users after logging on (with command 'id'). For my ldap user it was 2002, for my local user it was 1000. So that couldn't be the problem.

Dan Yefimov wrote:
On Sun, 29 Jul 2007, Heiko Harders wrote:
<snip>
The matter is that pam_localuser.so operates only in account stack (check
README file in the pam_localuser source directory).
I checked this out online to make sure this wasn't the problem. In the online documentation (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_localuser.html) I found: "All services (account, auth, password and session) are supported." So I ruled this out and was convinced this wasn't a problem. But perhaps that online documentation isn't correct.
That means mounting should
be performed in account stack too. If pam_mount.so cannot operate in account stack (consult with pam_mount documentation), pam_localuser.so cannot help you.
I think (but am not sure) pam_mount can not operate in account stack. The documentation is very limited and doesn't say anything about that.
You could however patch pam_localuser source so that it can operate also in session stack in order to be helpful for you.
That's something I will consider after I've made sure the online documentation I found is indeed incorrect (and you are right about pam_localuser isn't able to operate in session stack).

I thought it might help if I used this module:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_loginuid.html
However I'm not sure what exactly it is for, I thought it might be necessary for correctly identifying the uid of the user which logs on? Anyway, this module isn't installed on my system, a quick search on the internet provided that 'Linux SE' (security enhanced linux) is needed for this. But there is not much I can find about this issue.

Another problem that occured is that my 'gksu' is broken by 'auth required pam_mount.so' (that seems to be a common problem and I didn't find a solution for it yet, any comments on that are also welcome). So after three days of trial and nothing but error ;-) and considering the problem with gksu I'm thinking about dropping pam_mount and try some other approach. But I don't want to give up to soon, so any thoughts on these problems are still very welcome.

Greetings,
Heiko


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]