[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_ldap and host

it it helps, here is how we do it with our Redhat/Fedora based network:
in our ldap.conf we have:

host ldap1.example.com ldap2example.com
base ou=People,dc=example,dc=com
pam_check_host_attr yes
ssl start_tls
pam_password md5

then, allowed people have this in their entries on the ldap server (ldif

dn: uid=auser, ou=People, dc=example, dc=com
uid: auser
sn: User
cn: Any User
mail: auser example com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
ou: People
userPassword: {crypt}$1$salt$cryptpassword
gidNumber: 501
homeDirectory: /home/auser
uidNumber: 501
host: host1.example.com
host: host2.example.com
givenName: Any
loginShell: /bin/bash
gecos: Any User

(as you can see, I've changed names and deleted unimportant attributes)

Our /etc/pam.d/system-auth:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/pam_mkhomedir.so skel=/etc/skel

(notice that last line (pam_mkhomedir) - it allows account home
directories to be automatically created it the user is allow to login.)

I believe the last important piece to check is in /etc/nsswitch.conf: 
passwd:     files ldap
shadow:     files ldap
group:      files ldap

Hope this helps...

On Wed, 2003-12-17 at 10:16, Sergey wrote:
> Ð? СÑ?д, 17.12.2003, в 20:04, Chris Jackson пиÑ?еÑ?:
> > Do you have a "host" attribute set in ldap with the host name you are
> > logging into? You will need a wild card (host = "*") if you want to
> > allow your self access to all hosts where this is set.
> yes, I have only host=apex.csu.ac.ru, but I can login to
> reindeer.csu.ac.ru. (I get warm, message about homedir and shell.)
> It's a good idea with host="*" for all hosts, I didn't know it, but at
> this time I want to denie access for host (jast for test :-), and to
> denie access for other users)
> > 
> > On Wed, 2003-12-17 at 09:47, Sergey wrote:
> > > Hi All!
> > > How does it work? I added "pam_check_host_attr yes" at /etc/ldap.conf.
> > > When I login to host, I get
> > > Access denied for this host
> > > Could not chdir to home directory /home/srg: No such file or directory
> > > -bash-2.05b$ 
> > > So, I have a shell :-(
> > > How can I fix it?
> > > 
> > > P.S.
> > > May be /etc/ldap.conf and /etc/libnss-ldap.conf symlinks to
> > > /etc/ldap/ldap.conf at Debian box (/etc/ldap.conf link to
> > > /etc/openldap/openldap.conf at RedHat box)? I Didn't notice there big
> > > differences..
> > 
> > 
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list redhat com
> > https://www.redhat.com/mailman/listinfo/pam-list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]