[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_ldap and host



В Чтв, 18.12.2003, в 01:56, Chris Jackson пишет:
> it it helps, here is how we do it with our Redhat/Fedora based network:
> in our ldap.conf we have:
> 
> host ldap1.example.com ldap2example.com
> base ou=People,dc=example,dc=com
> pam_check_host_attr yes
> ssl start_tls
> pam_password md5
> 
> then, allowed people have this in their entries on the ldap server (ldif
> export):
> 
> dn: uid=auser, ou=People, dc=example, dc=com
> uid: auser
> sn: User
> cn: Any User
> mail: auser example com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: account
> ou: People
> userPassword: {crypt}$1$salt$cryptpassword
> gidNumber: 501
> homeDirectory: /home/auser
> uidNumber: 501
> host: host1.example.com
> host: host2.example.com
> givenName: Any
> loginShell: /bin/bash
> gecos: Any User
> 
> (as you can see, I've changed names and deleted unimportant attributes)
I have same config.
> 
> Our /etc/pam.d/system-auth:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>  
> account     required      /lib/security/$ISA/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
>  
> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>  
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
> session     optional      /lib/security/pam_mkhomedir.so skel=/etc/skel
> umask=0022
> 
> (notice that last line (pam_mkhomedir) - it allows account home
> directories to be automatically created it the user is allow to login.)
I did it (homedir), but this pam config realy helps me. Thanks..
> 
> 
> I believe the last important piece to check is in /etc/nsswitch.conf: 
> ...
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> ...
It is at every HOWTO :-)
> 
> Hope this helps...
> 
Yes, it helps me. Thank you!
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list redhat com
> https://www.redhat.com/mailman/listinfo/pam-list
-- 
Sorry me for my poor English...
---------------------------------------------------------
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc

Best Regards			mailto:srg csu ac ru
Mokeev Sergey			ICQ UIN:168860082





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]