[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_ldap



On Sun, May 19, 2002 at 02:21:10PM +0530, Nikhil Patil wrote:
> My problem deals with PAM authentication using an LDAP server. My
> configuration as supplied with the RHL7.2 pam_ldap.so works fine, but the
> one that comes with RHL7.3 or the one that I compile myslef using latest
> pam_ldap from www.padl.com doesn't work.
> 
> Hence, I would like to know how pam_ldap.so supplied with
> nss_ldap-172-2.i386.rpm in RHL7.2 and nss_ldap-185-1.i386.rpm in
> RHL7.3 has been made. I mean, where can I get its source (The RedHat
> modified one) and with what configuration was it compiled?

The source packages are both on the CDs and on the FTP site (in
/pub/redhat/linux/7.3/en/os/i386/SRPMS/).

I think the problem you're running into is a consequence of a change
in the default behavior made in the pam_ldap version we included in
the 7.2 release.  For a time, pam_ldap would return PAM_IGNORE if the
user was not known to the directory, but before the change was made
(and after it was changed back), it returned PAM_USER_UNKNOWN, which
causes different things to happen because PAM_USER_UNKNOWN normally
signals an error, while PAM_IGNORE doesn't.

You should be able to correct this by modifying /etc/pam.d/system-auth
and replacing:
account     required      /lib/security/pam_ldap.so
with:
account     [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so

The version of authconfig included with 7.3 should do this correctly.

HTH,

Nalin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []