PAM + LDAP auth without local accounts ?
Jeffrey Brown
JABrown at co.jefferson.co.us
Fri Mar 12 16:00:18 UTC 2004
In our environment we've had success with Netware 6.0.2 and RedHat 8.0 using TLS, LDAP and no local user accounts on the linux workstations. From the looks of your config you may want to try pam_password md5 rather than crypt. We've published a document that may be helpful to you at: http://www.novell.com/coolsolutions/nds/features/a_linux_auth_ldap_edir.html.
We also found that using the Account Mgmt. 2.1 snapins to ConsoleOne was an easy way to edit attributes on the posixAccount and posixGroup schema however, there other ways to do this a la LDIF. Another individual found another solution/addition by mapping LDAP classes to NDS classes at:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f66de42.8929781%40support-forums.novell.com&rnum=7
I like the work you've done with PAM mount module, we'll have to try that in house.
Jeffrey Brown
UNIX/Linux SA
Jefferson County, Colorado USA
>>> yann.forget at etat.ge.ch 3/12/2004 6:24:21 AM >>>
Hi,
I have Linux stations using Novell NDS / eDirectory for authentification.
Works fine so far if I have local accounts in /etc/passwd (password
desactivited in /etc/shadow).
What is the necessary config for logging *without* a local account in
/etc/passwd?
I also use pam_mount and it works fine.
/etc/nsswitch.conf
passwd: ldap files
shadow: ldap files
group: ldap files
============================
/etc/security/pam_mount.conf
debug 1
mkmountpoint 1
lsof /usr/bin/lsof
options_require nosuid,nodev
luserconf .pam_mount.conf
smbmount /bin/mount -t smbfs
ncpmount /bin/mount -t ncpfs
umount /bin/umount
lclmount /bin/mount -p0
volume * ncp novell_name_of_server usr/cti/& /home/&
ipserver=unix_name_of_server,user=&.novell_context,uid=&,gid=users - -
============================
/etc/ldap.conf
host mialplacidus
base ou=cti,ou=aca82,ou=d,o=nhp
ldap_version 3
port 636
pam_password crypt
sslpath /etc/ssl/certs/cert7.db
nss_base_passwd <context>
nss_base_shadow <context>
nss_base_group <context>
ssl on
tls_cacertdir /etc/ssl/certs
===========================
/etc/security/pam_unix2.conf
auth: use_ldap nullok
account: use_ldap
password: use_ldap nullok
session: none
===========================
/etc/pam.d/login
#%PAM-1.0
auth requisite pam_unix2.so nullok
auth required pam_securetty.so
auth required pam_nologin.so
#auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok
use_first_pass use_authtok
session required pam_unix2.so none # debug or
trace
session required pam_limits.so
session required pam_mount.so use_first_pass
auth required pam_mount.so use_first_pass
===========================
Thanks,
Yann
--
OSS consultant
Centre des Technologies de l'Information
Etat de Genève
82 rue des Acacias
1227 Carouge (GE)
Tél. +41-22-325 11 62
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list