pam ldap questions
Douglas B. Jones
douglas at gpc.edu
Thu Feb 22 20:42:44 UTC 2007
First, I am new to linux and ldap auth for a system, so with that in mind....
We have rhel4 set up to do ldap authentication. Had to do some tricky
things to get it to auto create directories when we ftp in. They were:
/etc/init.d/vsftpd.conf - add 'session_support=YES'
/etc/pam.d/vsftpd:
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
/etc/pam.d/system-auth:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
#session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0066
session required /lib/security/$ISA/pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0066
/etc/pam.d/sshd:
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
Also had to start the oddjob service and do work with dbus. That is what was
needed to get the directory and profile created for a user if the ftp in
vs. ssh in.
In /etc/nsswitch.conf I have:
passwd: files ldap
shadow: files ldap
group: files ldap
Now, here are three problems that I have:
1) if the ldap server in ldap.conf is not up, then no one can login,
even someone with a local id in the /etc/passwd file. I thought
nsswitch.conf took care of this?
2) I want to be able to bind to more than just one base/binddn/bindpw group.
I don't see how that is doable (is that a word) in the ldap.conf file.
For that matter, the foursome of host/binddn/bindpw/bindpw would be great also.
The reason is that we have some under uid=user,dc=group1,dc=gpc,dc=edu and
others under uid=user,dc=group2,dc=gpc,dc=edu and others under uid=user,dc=group3,
dc=gpc,dc=edu. With what I see in ldap.conf, I can mention multiple hosts,
but nothing about multiple bases or multiple binds/bindpw.
3) authorizedService - is it tunable on a per system bases? If I want them to
be able to ssh into system A, but not system B. Ftp into system B, but not
system A, then ssh and ftp into system C. I do not see it in the schema for
openldap-2.3.33, where would I get 'authorizedServiceObject' which it is under?
Also, exactly what do I put as a value for vfstpd (ftp?), secure shell (ssh?).
Would scp and sftp be other values?
Thank you for any help!
More information about the redhat-list
mailing list