Re: SuSE 8.0 Linux as OpenLDAP client

[Christian Jung <Christian.Jung@wanadoo.fr>]

Hi!

I had just a quick look on your pam-config, and:

Andreas Heilwagen wrote:
> [...]
> SUSE 8.0:
> auth     requisite      pam_unix.so             nullok #set_secrpc

This module should only be "required". "requisite" stops immediately if 
the module fails. So your box will look up the user in your 
passwd/shadow and maybe NIS, won't find it and bail out.

> auth     required       pam_securetty.so
> auth     required       pam_nologin.so
> auth     sufficient     pam_ldap.so             debug
> #auth    required       pam_homecheck.so
> auth     required       pam_env.so
> auth     required       pam_mail.so
> account  sufficient     pam_ldap.so             debug
> account  required       pam_unix.so
> password required       pam_pwcheck.so          nullok
> password required       pam_ldap.so       use_first_pass use_authok debug

This one should be set to "sufficient". If you can change the user with 
ldap, it's an externally defined user and you don't have to update 
passwd/shadow. "sufficient" stops immediately on success.

> password required       pam_unix2.so       nullok use_first_pass use_authtok
> session  required       pam_unix.so             none # debug or trace
> session  required       pam_limits.so

This should help a bit. But have a look at the documentation of pam. 
It's worth (and I can't really promise, that my modifications work and 
neither they're secure).


Chris