[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Passwords in OpenLDAP - another question

To: "Jadick, Joe" <jjadick@firstam.com>
Subject: Re: Passwords in OpenLDAP - another question
From: Christian DUCLOU <Christian.Duclou@eeigm.inpl-nancy.fr>
Date: Thu, 17 Jul 2003 14:45:31 +0200
Cc: openldap-software@OpenLDAP.org
Organization: EEIGM
References: <9B877D7894B5D31196FA00508B6F0C001285E321@mailhost.res.firstam.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.0.2) Gecko/20021120 Netscape/7.01

Hi,

Jadick, Joe a écrit:

Brent,
I apologize for not getting back to you sooner but I was on vacation; then working on other stuff.

Most of what I have read seems to indicate that you add an entry like this to the /etc/pam.d/sshd file:
auth sufficient /lib/security/pam_ldap.so
in front of the default entry:
auth required /lib/security/pam_unix.so shadow nullok use_first_pass
Also, it looks like you make a similar change to the account entry.
However, my /etc/pam.d/sshd file (RedHat 8.0) looks like this:
[root@anadts41 pam.d]# cat sshd
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
[root@anadts41 pam.d]#
I haven't been able to find a definition of what pam_stack.so is (in the Linux-PAM System Administrators' Guide, for example) so I don't know if this is correct or not.

pam_stack.so work as an include directive, so library defined in "/etc/pam.d/system_auth file are stacked in place where "pam_stack.so" is.

BEWARE: several (all??) pam.d/<files> use stack_pam.so and by the way open authention with LDAP for these services.

Samples (RedHat)
Suppose the system_auth file content is:

## File /etc/pam.d/system-auth
#%PAM-1.0
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_localuser.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security//pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so


and also
## File /etc/pam.d/su
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
session    optional     /lib/security/$ISA/pam_xauth.so

Thanx for any assistance anyone can provide a PAM/LDAP newbee (in case that wasn't evident from my question!).
Joe
-----Original Message-----
From: Brent Kearney [mailto:brent@kearneys.ca]
Sent: Tuesday, June 24, 2003 2:51 PM
To: Jadick, Joe
Cc: openldap-software@OpenLDAP.org
Subject: Re: Passwords in OpenLDAP - another question
On Tue, Jun 24, 2003 at 02:11:03PM -0700, Jadick, Joe wrote: > Hi, > > I have a follow-up question to the original thread. > > My environment is Red Hat Linux, 8.0 with OpenLDAP 2.1.17. > > I added a user via useradd; migrated him to LDAP using the migration tools; > and then deleted him via userdel. > > I find that I can su to this account from another one and, after providing > the password, everything works OK. > > Also, the getent and ldapsearch displays seem to be correct (both when the > user was in LDAP and files and after I deleted him from files). > > However, when I try to log into the account directly using SSH it won't > accept the password. > > Any ideas what I'm doing wrong?
Have you modified the /etc/pam.d/* files appropriately (specifically,
the one for ssh)?
Brent
--
http://oss.netmojo.ca/
**********************************************************************
This message contains confidential information intended only for the use of the addressee(s)

named above and may contain information that is legally privileged. If you are not the

addressee, or the person responsible for delivering it to the addressee, you are hereby notified that reading, disseminating, distributing or copying this message is strictly prohibited.

If you have received this message by mistake, please immediately notify us by replying to the
message and delete the original message immediately thereafter.
Thank you. FADLD Tag **********************************************************************

References:
- RE: Passwords in OpenLDAP - another question
  - From: "Jadick, Joe" <jjadick@firstam.com>

Prev by Date: Re: Debian Packages.
Next by Date: Problems with accentuated characters
Index(es):
- Chronological
- Thread