pam and ldap problems
Alexander Samad
alex at samad.com.au
Mon May 8 07:33:56 UTC 2006
Hi
Just going through the process of setting up ldap authentication.
Things seem to be working fine except when I go to do some fine controll
over who can log into each machine
my nsswitch looks like this
passwd: files ldap
group: files ldap
shadow: files
my common-auth looks like
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so ignore_unknown_user use_first_pass
auth required pam_permit.so
i got this from the readme in the libpam-ldap package.
I am using debian AMD64 testing/unstable
I have added a variable hosts=* to my test uid entry, I have placed
pam_filter in /etc/pam_ldap.conf
pam_filter host=this.is.a.test
when I test it with the above configuration I see no requests with
search variables host=
when I modfy my common-auth to look like this
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so ignore_unknown_user use_first_pass
auth required pam_permit.so
and re run my test (which is to login via ssh), I do see a search with
the host in it and looking for this.is.a.test, but I do not get denied.
Q1) if pam_ldap.so fails because of the host command why does it still
allow me in even though there is a pam_permit afterwards, shouldn't the
required part fail the whole lookup
Q2) why when I uncomment the first line does it not use the pam_filter
defined in pam_ldap.conf, my presumption is that pam_unix uses glibc and
thus nsswitch - is this the catch it it access the ldap via glibc
because of my nsswith setup above ?
Q3) the above also seems to be causing problems with my xscreensaver
unlocking in the former state, it unlocks with any password. You can see
the failure in syslog, but it still unlocks.
Thanks
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060508/2f833fdd/attachment.sig>
More information about the Pam-list
mailing list