[Date Prev][Date Next] [Chronological] [Thread] [Top]

2nd: re: AW: Authentication problem.



To further my understanding from the answer to the ldap authentication problem, which may have been related to an issue I had on Redhat a while back:

RE:

auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass

This allows the user to be authorized in this layer of Pam if he exists in Ldap OR /etc/shadow (/etc/passwd).  AND if I was to change these to required, you would have to exist in BOTH of them correct?

> Yes, this is because of:
auth        sufficient    /lib/security/pam_unix.so likeauth nullok


What mechanism holds this up?  Do you mean e.g.:

login:  root

or su root won't allow you to login as root with out the pam_unix.so module in the stack?

This line allows local users. But without this line, you aren?t allowed
to login as "root" anymore. <


re:

Yes, this is because of:
auth sufficient /lib/security/pam_unix.so likeauth nullok

This line allows local users. But without this line, you aren?t allowed
to login as "root" anymore.
To disable some local users, you could use the pam_listfile module:
auth required /lib/security/pam_env.so
auth required /lib/security/pam_listfile.so item=user
onerr=fail\
sense=deny file=/etc/invalidusers
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

Juergen
-----Ursprüngliche Nachricht-----
Von: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] Im Auftrag von
alexlam@msolutions.com.hk
Gesendet: Montag, 19. August 2002 08:16
An: openldap-software@OpenLDAP.org
Betreff: Authentication problem.

Hi,

My questiong may be a little bit off topic. But, I hope I can get some
help or hints to solve my problem.

I am trying to setup Redhat 7.3 to authenticate against Openldap 2.1.3.
I use the "authconfig" shipped with Redhat 7.3 to setup the system.
It authenticate my ldap accounts in Redhat 7.3 correctly.
However, when I tried to authenticate with the system account. It
authenticated too.
Is it normal?

"authconfig" has generated the following "system-auth" file in
/etc/pam.d.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so

Do I need to change the above file to make it authenticating with
Openldap only?

Thanks,