PAM/LDAP httpd auth but no system account ?

Jed Donnelley jed at nersc.gov
Thu Sep 30 18:18:14 UTC 2004 

I'm using mod_auth_pam for httpd/LDAP authentication, including group 
authentication.

I've found that I need to set:

shadow:    files ldap
group:     files ldap

in my /etc/nsswitch.conf to get this to work (Redhat ES2.1).  However, I 
don't want shell logins on the system to be authenticated through 
LDAP.  That is, while I want to accept LDAP users for httpd authentication, 
I don't want to accept such users for login to the system (Web authors are 
a small subset of those who authenticate through httpd).

What I find is that if I leave my nsswitch.conf as:

passwd:    files

then users that are not in my /etc/passwd file can't authenticate through 
httpd (/etc/pam.d/httpd:
_____________________________
#%PAM-1.0

auth       sufficient  /lib/security/pam_ldap.so
auth       required    /lib/security/pam_deny.so
_____________________________

).  The error I see is:

[Wed Sep 29 18:06:27 2004] [error] (2)No such file or directory: access to 
/projects/www-test/group-staff/ failed for 128.55.16.133, reason: User not 
known to the underlying authentication module

Not surprisingly I also see:

Sep 28 16:14:29 rohanb httpd(pam_unix)[20895]: could not identify user 
(from getpwnam(jed))

in /var/log/messages.  If I call getpwnam then I don't see a passwd 
entry.  This is as I expect
and want as I don't want users from LDAP logging into the system.  However, 
I do want to be
able to have users coming in through Apache to authenticate.

If I authenticate a user that is in my /etc/passwd file then the 
authentication works - with the password stored in the LDAP server.

If I change my nsswitch.conf to include:

passwd:    files ldap

then httpd authentication works through LDAP, but LDAP users also are able 
to login to my Web server -
which is not what I want.

I wondered if anybody might have any thoughts on how I can get PAM to do 
what I need.  At this point I'm
stuck and considering switching to mod_auth_ldap.  I would prefer staying 
with PAM because of its greater
flexibility, but if I can't get it to do what I need then of course I need 
to do something else.  Perhaps somebody
might be able to point me to a discussion of the binding between PAM and 
nsswitch?  Is this a case
where I'm trying to do something that isn't possible?  Ideally I would like 
to be able to accept LDAP
passwords for users that are in my /etc/passwd file for logins.

--Jed http://www.nersc.gov/~jed/

More information about the Pam-list mailing list