[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP + User Authentication + Laptop = ?
Rich,
The default system-auth for redhat-8.0 looks like this:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
When you use the authconfig program in redhat to tell it to authenitcate
against ldap it changes the file to:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
While this is mostly correct it causes problems with this line.
account required /lib/security/pam_unix.so
This causes an ldap query if your nsswitch is configured to resolve
passwd/groups against the directory.
If you set this to:
account sufficient /lib/security/pam_unix.so
It should start working...
schu
Rich West wrote:
As with many of the PAM setups now-a-days, RH used the pam_stack.so to pass
things off to the system-auth PAM file. Our default system-auth file, which
works for connected users, turns out to look exactly like the one from
http://www.mandrakesecure.net/en/docs/ldap-auth.php, and, actually, it is the
same as the default install from RH 8.0
Of course, reverting the system-auth file back to one without any references to
LDAP fixes this problem, but once the user is connected back up to the network,
they obviously cannot authenticate against the LDAP server because of the
removal of the references from their system-auth file.