[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP + User Authentication + Laptop = ?



Rich,

The default system-auth for redhat-8.0 looks like this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so


session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

When you use the authconfig program in redhat to tell it to authenitcate against ldap it changes the file to:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so


password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so


session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

While this is mostly correct it causes problems with this line.

account     required      /lib/security/pam_unix.so

This causes an ldap query if your nsswitch is configured to resolve passwd/groups against the directory.

If you set this to:

account      sufficient    /lib/security/pam_unix.so

It should start working...

schu





Rich West wrote:

As with many of the PAM setups now-a-days, RH used the pam_stack.so to pass
things off to the system-auth PAM file.  Our default system-auth file, which
works for connected users, turns out to look exactly like the one from
http://www.mandrakesecure.net/en/docs/ldap-auth.php, and, actually, it is the
same as the default install from RH 8.0

Of course, reverting the system-auth file back to one without any references to
LDAP fixes this problem, but once the user is connected back up to the network,
they obviously cannot authenticate against the LDAP server because of the
removal of the references from their system-auth file.