PAM/LDAP httpd auth but no system account ?
Jed Donnelley
jed at nersc.gov
Thu Sep 30 18:18:14 UTC 2004
I'm using mod_auth_pam for httpd/LDAP authentication, including group
authentication.
I've found that I need to set:
shadow: files ldap
group: files ldap
in my /etc/nsswitch.conf to get this to work (Redhat ES2.1). However, I
don't want shell logins on the system to be authenticated through
LDAP. That is, while I want to accept LDAP users for httpd authentication,
I don't want to accept such users for login to the system (Web authors are
a small subset of those who authenticate through httpd).
What I find is that if I leave my nsswitch.conf as:
passwd: files
then users that are not in my /etc/passwd file can't authenticate through
httpd (/etc/pam.d/httpd:
_____________________________
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_deny.so
_____________________________
). The error I see is:
[Wed Sep 29 18:06:27 2004] [error] (2)No such file or directory: access to
/projects/www-test/group-staff/ failed for 128.55.16.133, reason: User not
known to the underlying authentication module
Not surprisingly I also see:
Sep 28 16:14:29 rohanb httpd(pam_unix)[20895]: could not identify user
(from getpwnam(jed))
in /var/log/messages. If I call getpwnam then I don't see a passwd
entry. This is as I expect
and want as I don't want users from LDAP logging into the system. However,
I do want to be
able to have users coming in through Apache to authenticate.
If I authenticate a user that is in my /etc/passwd file then the
authentication works - with the password stored in the LDAP server.
If I change my nsswitch.conf to include:
passwd: files ldap
then httpd authentication works through LDAP, but LDAP users also are able
to login to my Web server -
which is not what I want.
I wondered if anybody might have any thoughts on how I can get PAM to do
what I need. At this point I'm
stuck and considering switching to mod_auth_ldap. I would prefer staying
with PAM because of its greater
flexibility, but if I can't get it to do what I need then of course I need
to do something else. Perhaps somebody
might be able to point me to a discussion of the binding between PAM and
nsswitch? Is this a case
where I'm trying to do something that isn't possible? Ideally I would like
to be able to accept LDAP
passwords for users that are in my /etc/passwd file for logins.
--Jed http://www.nersc.gov/~jed/
More information about the Pam-list
mailing list