[ale] [Fwd: Re: OpenLDAP: So close and yet so far]

Jim Kinney jim.kinney at gmail.com
Wed Jun 3 15:27:34 EDT 2009


JeffHubbs==Gentoo

On Wed, Jun 3, 2009 at 3:12 PM, Jerald Sheets<questy at gmail.com> wrote:
> Redhat/Debian/Ubuntu/Slack?  Which?
>
> On Wed, Jun 3, 2009 at 2:33 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com> wrote:
>>
>> Just like that.
>>
>> On Wed, Jun 3, 2009 at 2:20 PM, Jerald Sheets <questy at gmail.com> wrote:
>>>
>>> What does your /etc/nsswitch.conf look like for passwd/shadow/group?
>>>
>>> passwd:     files ldap
>>> shadow:     files ldap
>>> group:      files ldap
>>>
>>>
>>> --j
>>>
>>> On Wed, Jun 3, 2009 at 1:45 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>
>>> wrote:
>>>>
>>>> That makes it worse.  See log output with it both ways at
>>>> http://pastebin.com/m5fca56.
>>>>
>>>> With the pam_ldap line where it was, I'm at least able to get "(Invalid
>>>> credentials)" returned from pam_ldap;when moved up above the pam_unix line,
>>>> pam_ldap never makes a response.
>>>>
>>>>
>>>>
>>>> http://pastebin.com/m5fca56
>>>>
>>>> On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <jim.kinney at gmail.com>
>>>> wrote:
>>>>>
>>>>> move the pam_ladp line up one. The line above it will always capture
>>>>> an event and the ldap line is never called. pam is a sequential
>>>>> process down the chain.
>>>>>
>>>>> In fact, if you want to tighten the security, put the pam_deny line
>>>>> before any "sufficient" lines in auth.
>>>>>
>>>>> On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com>
>>>>> wrote:
>>>>> > Jerald -
>>>>> >
>>>>> > That line is in there...in fact, let me paste the whole system-auth
>>>>> > file:
>>>>> >
>>>>> > #%PAM-1.0
>>>>> >
>>>>> > auth            required        pam_env.so
>>>>> > auth            sufficient      pam_unix.so try_first_pass likeauth
>>>>> > nullok
>>>>> > auth            sufficient      pam_ldap.so use_first_pass
>>>>> > auth            required        pam_deny.so
>>>>> >
>>>>> > account         required        pam_unix.so
>>>>> > account         sufficient      pam_ldap.so
>>>>> >
>>>>> > password        required        pam_cracklib.so difok=2 minlen=8
>>>>> > dcredit=2
>>>>> > ocredit=2 try_first_pass retry=3
>>>>> > password        sufficient      pam_unix.so try_first_pass nullok md5
>>>>> > shadow
>>>>> > use_authtok
>>>>> > password        sufficient      pam_ldap.so use_authtok
>>>>> > password        required        pam_deny.so
>>>>> >
>>>>> > session         required        pam_limits.so
>>>>> > session         required        pam_unix.so
>>>>> > session         optional        pam_ldap.so
>>>>> >
>>>>> >
>>>>> >>
>>>>> >>
>>>>> >> Also, to let pam know about ldap, look for a line like so:
>>>>> >>
>>>>> >> auth        sufficient    pam_ldap.so use_first_pass
>>>>> >>
>>>>> >> in /etc/pam.d/system-auth
>>>>> >>
>>>>> >> Also, if you want to have home directories automagically made for
>>>>> >> first-time logins, you need:
>>>>> >>
>>>>> >> session     required      pam_mkhomedir.so
>>>>> >
>>>>> > Cool trick - dunno if I'll use that now but it's good to know.
>>>>> >
>>>>> > Thanks,
>>>>> > Jeff
>>>>> >
>>>>> > _______________________________________________
>>>>> > Ale mailing list
>>>>> > Ale at ale.org
>>>>> > http://mail.ale.org/mailman/listinfo/ale
>>>>> >
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> --
>>>>> James P. Kinney III
>>>>> Actively in pursuit of Life, Liberty and Happiness
>>>>>
>>>>> _______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>
>>>
>>>
>>>
>>> --
>>> ---
>>> Jerald M. Sheets jr.
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>>
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>
>
>
> --
> ---
> Jerald M. Sheets jr.
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>



-- 
-- 
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness



More information about the Ale mailing list