PAM/LDAP httpd auth but no system account ?

Michael Chang miranda at uranus.com
Thu Sep 30 18:56:30 UTC 2004 

|> I'm using mod_auth_pam for httpd/LDAP authentication, including group 
|> authentication.
|> 
|> I've found that I need to set:
|> 
|> shadow:    files ldap
|> group:     files ldap
|> 
|> in my /etc/nsswitch.conf to get this to work (Redhat ES2.1).  However, I 
|> don't want shell logins on the system to be authenticated through 
|> LDAP.  That is, while I want to accept LDAP users for httpd authentication, 
|> I don't want to accept such users for login to the system (Web authors are 
|> a small subset of those who authenticate through httpd).

Then leave nsswitch.conf as you have it above and only load the pam_ldap.so
PAM module inside /etc/pam.d/httpd.  Leave /etc/pam.d/{sshd,login} as they
are (i.e.: only use pam_unix.so).

[snip...]

|> If I change my nsswitch.conf to include:
|> 
|> passwd:    files ldap
|> 
|> then httpd authentication works through LDAP, but LDAP users also are able 
|> to login to my Web server -
|> which is not what I want.
|> 
|> I wondered if anybody might have any thoughts on how I can get PAM to do 
|> what I need.  At this point I'm
|> stuck and considering switching to mod_auth_ldap.  I would prefer staying 
|> with PAM because of its greater
|> flexibility, but if I can't get it to do what I need then of course I need 
|> to do something else.  Perhaps somebody
|> might be able to point me to a discussion of the binding between PAM and 
|> nsswitch?  Is this a case
|> where I'm trying to do something that isn't possible?  Ideally I would like 
|> to be able to accept LDAP
|> passwords for users that are in my /etc/passwd file for logins.

Ah, okay, so you basically want all authentication to happen against an LDAP
server, but you also want to be granular with respect to who can access
certain httpd services and who can access other services such as ssh or login.
Where I worked over the summer, we had the same need.  pam_ldap is able to
restrict access based upon the service that is being requested; however, it
requires an extra objectclass and attribute(s) for each user.
The additional objectclass is named 'authorizedServiceObject', and the
attribute (multi-valued) is 'authorizedService'.

See the following URL for more details:
 http://www.netsys.com/pamldap/2003/05/msg00034.html

You may or may not have problems, depending upon the LDAP server you're
using.  Our setup was RHELAS3 with Sun One DS, and it worked like a charm
with the default OpenLDAP and PADL libraries shipped with RHEL.  I'm not sure
about ES2.1 -- you may have to grab the latest versions of those libs.

Good luck.

Michael


|> _______________________________________________
|> Pam-list mailing list
|> Pam-list at redhat.com
|> https://www.redhat.com/mailman/listinfo/pam-list

More information about the Pam-list mailing list