[ale] [Fwd: Re: OpenLDAP: So close and yet so far]

Jeff Hubbs jeffrey.hubbs at gmail.com
Wed Jun 3 14:33:50 EDT 2009


Just like that.

On Wed, Jun 3, 2009 at 2:20 PM, Jerald Sheets <questy at gmail.com> wrote:

> What does your /etc/nsswitch.conf look like for passwd/shadow/group?
>
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
>
>
> --j
>
>
> On Wed, Jun 3, 2009 at 1:45 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>
>> That makes it worse.  See log output with it both ways at
>> http://pastebin.com/m5fca56.
>>
>> With the pam_ldap line where it was, I'm at least able to get "(Invalid
>> credentials)" returned from pam_ldap;when moved up above the pam_unix line,
>> pam_ldap never makes a response.
>>
>>
>>
>> http://pastebin.com/m5fca56
>>
>>
>> On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>>
>>> move the pam_ladp line up one. The line above it will always capture
>>> an event and the ldap line is never called. pam is a sequential
>>> process down the chain.
>>>
>>> In fact, if you want to tighten the security, put the pam_deny line
>>> before any "sufficient" lines in auth.
>>>
>>> On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com>
>>> wrote:
>>> > Jerald -
>>> >
>>> > That line is in there...in fact, let me paste the whole system-auth
>>> file:
>>> >
>>> > #%PAM-1.0
>>> >
>>> > auth            required        pam_env.so
>>> > auth            sufficient      pam_unix.so try_first_pass likeauth
>>> nullok
>>> > auth            sufficient      pam_ldap.so use_first_pass
>>> > auth            required        pam_deny.so
>>> >
>>> > account         required        pam_unix.so
>>> > account         sufficient      pam_ldap.so
>>> >
>>> > password        required        pam_cracklib.so difok=2 minlen=8
>>> dcredit=2
>>> > ocredit=2 try_first_pass retry=3
>>> > password        sufficient      pam_unix.so try_first_pass nullok md5
>>> shadow
>>> > use_authtok
>>> > password        sufficient      pam_ldap.so use_authtok
>>> > password        required        pam_deny.so
>>> >
>>> > session         required        pam_limits.so
>>> > session         required        pam_unix.so
>>> > session         optional        pam_ldap.so
>>> >
>>> >
>>> >>
>>> >>
>>> >> Also, to let pam know about ldap, look for a line like so:
>>> >>
>>> >> auth        sufficient    pam_ldap.so use_first_pass
>>> >>
>>> >> in /etc/pam.d/system-auth
>>> >>
>>> >> Also, if you want to have home directories automagically made for
>>> >> first-time logins, you need:
>>> >>
>>> >> session     required      pam_mkhomedir.so
>>> >
>>> > Cool trick - dunno if I'll use that now but it's good to know.
>>> >
>>> > Thanks,
>>> > Jeff
>>> >
>>> > _______________________________________________
>>> > Ale mailing list
>>> > Ale at ale.org
>>> > http://mail.ale.org/mailman/listinfo/ale
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> --
>>> James P. Kinney III
>>> Actively in pursuit of Life, Liberty and Happiness
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>>
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>>
>
>
> --
> ---
> Jerald M. Sheets jr.
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090603/c4a55a78/attachment.html 


More information about the Ale mailing list