[ale] [Fwd: Re: OpenLDAP: So close and yet so far]
Jim Kinney
jim.kinney at gmail.com
Wed Jun 3 12:50:28 EDT 2009
move the pam_ladp line up one. The line above it will always capture
an event and the ldap line is never called. pam is a sequential
process down the chain.
In fact, if you want to tighten the security, put the pam_deny line
before any "sufficient" lines in auth.
On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com> wrote:
> Jerald -
>
> That line is in there...in fact, let me paste the whole system-auth file:
>
> #%PAM-1.0
>
> auth required pam_env.so
> auth sufficient pam_unix.so try_first_pass likeauth nullok
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_ldap.so
>
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2
> ocredit=2 try_first_pass retry=3
> password sufficient pam_unix.so try_first_pass nullok md5 shadow
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session required pam_limits.so
> session required pam_unix.so
> session optional pam_ldap.so
>
>
>>
>>
>> Also, to let pam know about ldap, look for a line like so:
>>
>> auth sufficient pam_ldap.so use_first_pass
>>
>> in /etc/pam.d/system-auth
>>
>> Also, if you want to have home directories automagically made for
>> first-time logins, you need:
>>
>> session required pam_mkhomedir.so
>
> Cool trick - dunno if I'll use that now but it's good to know.
>
> Thanks,
> Jeff
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
--
--
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness
More information about the Ale
mailing list