pam and ldap problems

Alexander Samad alex at samad.com.au
Mon May 8 07:33:56 UTC 2006 

Hi

Just going through the process of setting up ldap authentication.

Things seem to be working fine except when I go to do some fine controll
over who can log into each machine

my nsswitch looks like this 
passwd:         files ldap 
group:          files ldap 
shadow:         files


my common-auth looks like
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so ignore_unknown_user use_first_pass
auth required pam_permit.so

i got this from the readme in the libpam-ldap package.


I am using debian AMD64 testing/unstable

I have added a variable hosts=* to my test uid entry, I have placed
pam_filter in /etc/pam_ldap.conf
pam_filter host=this.is.a.test

when I test it with the above configuration I see no requests with
search variables host=

when I modfy my common-auth to look like this

#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so ignore_unknown_user use_first_pass
auth required pam_permit.so

and re run my test (which is to login via ssh), I do see a search with
the host in it and looking for this.is.a.test, but I do not get denied.

Q1) if pam_ldap.so fails because of the host command why does it still
allow me in even though there is a pam_permit afterwards, shouldn't the
required part fail the whole lookup 

Q2) why when I uncomment the first line does it not use the pam_filter
defined in pam_ldap.conf, my presumption is that pam_unix uses glibc and
thus nsswitch - is this the catch it it access the ldap via glibc
because of my nsswith setup above ?

Q3) the above also seems to be causing problems with my xscreensaver
unlocking in the former state, it unlocks with any password. You can see
the failure in syslog, but it still unlocks.  

Thanks
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060508/2f833fdd/attachment.sig>

More information about the Pam-list mailing list