[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to change the login look up order with LDAP?





Tony Earnshaw wrote:
søn, 2003-02-02 kl. 20:08 skrev Shi Jin:


I think my problem is in the /etc/pam.d
My /etc/pam.d/login looks like this:
[seki@k62 pam.d]$ cat login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so
service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so
service=system-auth
password   required     /lib/security/pam_stack.so
service=system-auth
session    required     /lib/security/pam_stack.so
service=system-auth
session    optional     /lib/security/pam_console.so


Is there anything wrong with it?


Yes. First, make sure you (somehow or another, you state neither your
OS, distro nor nss_lap version, if any) have PADL's nss_ldap and
pam_ldap packages installed. It doesn't look as if you have. When you
have, a *lot* in /etc/pam.d should have different contents to what you
have now.


In fact, it's a redhat "problem".
when you configure auth with the redhat "setup" tool, it manages to change only ONE file. that's why auth is resturned by service=system-auth, which is used in all other pam files.


the corresponding file in /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pa
m_ldap.so


password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so


session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so


and by default, an ldap-configured auth is not reporting to files ... ask redhat why ...



Regards

		Julien