[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

is it possible to make pam_wheel query an LDAP server?


I currently have my PAM configuration file for su set to use
pam_wheel, followed by pam_ldap as follows:

auth       sufficient   /lib/security/pam_rootok.so
auth       required     /lib/security/pam_wheel.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so

However, the effect is not quite the desired one. pam_wheel only
consults the local /etc/group file to find users who are allowed to
su, whereas I would like an LDAP server to be queried instead.

This would greatly ease administration, since we could just add or
remove a user from the wheel group in LDAP and instantly either
empower or emasculate said user across all of our systems.

We could then also configure other applications to allow only certain
users to use them, by having pam_wheel query over LDAP for membership
of other groups than just wheel. This would be an extremely powerful

So, is there any way of getting pam_wheel to go over LDAP for its

Ian Macdonald               | There is no sadder sight than a young
Senior System Administrator | pessimist. 
Linuxcare, Inc.             | 
Support for the Revolution  | 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []