[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: is it possible to make pam_wheel query an LDAP server?

Hello Ian,

On Sun, 15 Apr 2001, Ian Macdonald wrote:

> I currently have my PAM configuration file for su set to use
> pam_wheel, followed by pam_ldap as follows:

> auth       sufficient   /lib/security/pam_rootok.so
> auth       required     /lib/security/pam_wheel.so
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix_auth.so use_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix_acct.so
> password   required     /lib/security/pam_cracklib.so
> password   sufficient   /lib/security/pam_ldap.so
> password   required     /lib/security/pam_pwdb.so use_first_pass
> session    required     /lib/security/pam_unix_session.so

> However, the effect is not quite the desired one. pam_wheel only
> consults the local /etc/group file to find users who are allowed to
> su, whereas I would like an LDAP server to be queried instead.

> This would greatly ease administration, since we could just add or
> remove a user from the wheel group in LDAP and instantly either
> empower or emasculate said user across all of our systems.

> We could then also configure other applications to allow only certain
> users to use them, by having pam_wheel query over LDAP for membership
> of other groups than just wheel. This would be an extremely powerful
> feature.

> So, is there any way of getting pam_wheel to go over LDAP for its
> look-ups?

To do group lookups via LDAP, you should have the following line in

group:      files ldap

And you should make sure that you don't have a 'wheel' group listed in
/etc/group.  This is because NSS doesn't allow you to combine group entries
from multiple NSS backends: getgrnam("wheel") will return either the entry
from LDAP or the entry from /etc/group, depending on which is specified first
in nsswitch.conf.  (I strongly recommend listing 'files' before 'ldap' for
security reasons; if someone has gone to the trouble of explicitly setting up
a user or group on the local machine, you normally don't want someone to be
able to override that setting in the network database.)

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []