pam_unix, pam_ldap, and nss
ben thielsen
btb at bitrate.net
Tue Jun 8 03:58:26 UTC 2010
hi-
i've been experimenting with ldap authentication combined with traditional unix authentication, and have what appears to be a working configuration - but, in the process, it's raised some questions. my testing has been only with sshd for the moment. at the bottom of the message is my current sshd pam config. i've included the various common-* includes in the file as though they were part of it.
i'm specifically wondering about the account section. using the more basic configuration:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so minimum_uid=1000 debug
account requisite pam_deny.so
account required pam_permit.so
ldap users were allowed in when i wasn't expecting them to be. i'm using openldap w/ the nssov overlay and the nss-pam-ldapd stub libraries. isolating just the unix module or just the ldap module resulted in each type working as desired independently, but adding in the unix module circumvented the ldap group membership requirements. since this system is also using ldap for nss - getent passwd, group, and shadow all expose ldap data, my sense was that this was the reason behind this behavior (although i don't quite understand specifically why).
my approach was to use localuser to identify if the user was local or in ldap, and then if found in ldap, apply the ldap module first, followed by the unix module only on success. it seems to work, but feels a bit convoluted. is this sane? how is this typically handled, when nss uses both local files and ldap, and the pam uses both local and ldap modules with account restrictions coming from the ldap module? i also wanted to keep the unix module first in the stack, to minimize delays if the ldap server was not reachable.
in the past i'd have used only localusers and not unix, which would simplify the account stack, but i've been cautioned previously on the list that doing so would result in things like password expiry not being honored, etc.
i'd greatly appreciate any criticism, etc. offered on my approach to solving the above, and on the below config in general.
regards
-ben
# sshd pam config
auth required pam_env.so
auth required pam_env.so envfile=/etc/default/locale
@include common-auth
### common-auth ###
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass minimum_uid=1000 debug
auth requisite pam_deny.so
auth required pam_permit.so
### end common-auth ###
account required pam_nologin.so
@include common-account
### common-account ###
# send directly to unix module if a local user, send to ldap module first if not
account [success=1 default=ignore] pam_localuser.so
account [success=ok default=1] pam_ldap.so minimum_uid=1000 debug
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
### end common-account ###
@include common-session
### common-session ###
session required pam_unix.so
session optional pam_ldap.so minimum_uid=1000 no_warn debug
session optional pam_mkhomedir.so
### end common-session ###
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv
session required pam_limits.so
@include common-password
### common-password ###
password requisite pam_passwdqc.so min=disabled,24,11,7,7
password [success=2 default=ignore] pam_unix.so use_authtok try_first_pass sha512 obscure
password [success=1 default=ignore] pam_ldap.so use_authtok try_first_pass minimum_uid=1000 debug
password requisite pam_deny.so
password required pam_permit.so
### end common-password ###
More information about the Pam-list
mailing list