PAM/LDAP distinct users sets for httpd <-> system auth
Jed Donnelley
jed at nersc.gov
Fri Oct 1 17:44:00 UTC 2004
In discussions here and elsewhere I've found some additional focus on the
problem
I'm facing with PAM/LDAP.
I have two interfaces, httpd and system authentication, that I want to have
distinct sets of users visible to authenticate to. In my case it happens that
the system authentication set is a subset of the httpd set. I have a large
set of computer center users (~3k) that I want to be able to be known as users
and be able to authenticate to httpd with their LDAP userids and passwords,
groups, etc.. I have a much smaller set of Web developers (10s or so) that I
want to be able to have shell/system authentication to login to the Web server
system, but also with their LDAP passwords.
What it seems to come down to is that to get PAM/LDAP to know about the
larger set of center users in the LDAP database I need to include:
passwd: files ldap
in my nsswitch.conf file. Having done so it appears to force my
hand on shell/login authentication in that all the LDAP users become
visible as if they had an entry in the /etc/passwd file.
I know that if I use mod_auth_ldap for my httpd authentication, I can
set things up so that my larger set of users are visible to httpd
authentication and then I can specify:
passwd: files
in my nsswitch.conf file and let PAM manage my system authentication
to the subset.
I realize that I can also specify a system specific subset of users in
LDAP that will allow me to authenticate just that subset with PAM for
shell/login authentication. However, what I don't know how to do is
to specify such a subset to PAM/LDAP for system authentication
while using the much larger set for httpd authentication.
--Jed http://www.nersc.gov/~jed/
More information about the Pam-list
mailing list