[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: pam ldap questions



First, I am new to linux and ldap auth for a system, so with that in mind....

We have rhel4 set up to do ldap authentication. Had to do some tricky
things to get it to auto create directories when we ftp in. They were:

/etc/init.d/vsftpd.conf - add 'session_support=YES'
/etc/pam.d/vsftpd:
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

/etc/pam.d/system-auth:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
#session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0066
session required /lib/security/$ISA/pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0066

/etc/pam.d/sshd:
auth       required     pam_stack.so service=system-auth 
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth 
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

Also had to start the oddjob service and do work with dbus. That is what was
needed to get the directory and profile created for a user if the ftp in
vs. ssh in.

In /etc/nsswitch.conf I have:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

Now, here are three problems that I have:

1) if the ldap server in ldap.conf is not up, then no one can login,
   even someone with a local id in the /etc/passwd file. I thought
   nsswitch.conf took care of this?

2) I want to be able to bind to more than just one base/binddn/bindpw group.
   I don't see how that is doable (is that a word) in the ldap.conf file.
   For that matter, the foursome of host/binddn/bindpw/bindpw would be great also.
   The reason is that we have some under uid=user,dc=group1,dc=gpc,dc=edu and
   others under uid=user,dc=group2,dc=gpc,dc=edu and others under uid=user,dc=group3,
   dc=gpc,dc=edu. With what I see in ldap.conf, I can mention multiple hosts,
   but nothing about multiple bases or multiple binds/bindpw.

3) authorizedService - is it tunable on a per system bases? If I want them to
   be able to ssh into system A, but not system B. Ftp into system B, but not
   system A, then ssh and ftp into system C. I do not see it in the schema for
   openldap-2.3.33, where would I get 'authorizedServiceObject' which it is under?
   Also, exactly what do I put as a value for vfstpd (ftp?), secure shell (ssh?).
   Would scp and sftp be other values?

Thank you for any help!



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]