[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap, pam_ldap, accounts

To: Ben Collins <bcollins@debian.org>
Subject: Re: openldap, pam_ldap, accounts
From: Stephen Langasek <vorlon@netexpress.net>
Date: Mon, 6 Dec 1999 16:25:29 -0600 (CST)
Cc: "John P. Looney" <jplooney-ldap@online.ie>, OpenLDAP-general@OpenLDAP.org
In-reply-to: <19991206125236.R1884@lappy.djj.state.va.us>

On Mon, 6 Dec 1999, Ben Collins wrote:

> On Mon, Dec 06, 1999 at 11:06:17AM +0000, John P. Looney wrote:
> >  Should I use the exact /etc/pam.d files that come with pam_ldap then ?
> > They are markedly different than the ones that come with RedHat 6.1

> If you are using nss_ldap with the correct setup (one that can read the
> password attribute) then all you need is to add pam_ldap to the "password"
> services. If you are using nss_ldap just for uid and gid lookups (not able
> to get the password attribute), then you need to add pam_ldap.so entries
> like this prior to each pam_pwdb/pam_unix (for auth only I think):

> auth sufficient /lib/security/pam_ldap.so

> Also add whatever options you may want (see docs). This will allow
> pam_ldap.so to authenticate users, but it will fall through to pam_pwdb
> (or pam_unix, whichever you use) for system accounts (like root).

I would recommend placing pam_unix before pam_ldap in the auth config,
simply because locally defined accounts should probably take precedence over
accounts by the same name that are defined in the LDAP directory.

-Steve Langasek
postmodern programmer

References:
- Re: openldap, pam_ldap, accounts
  - From: Ben Collins <bcollins@debian.org>

Prev by Date: Re: openldap, pam_ldap, accounts
Next by Date: Re: openldap, pam_ldap, accounts
Index(es):
- Chronological
- Thread