[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie with PAM_LDAP (authentication on linux) and OPENLDAP

To: "Broussard Philippe" <philippe.broussard@e-qual.fr>
Subject: Re: Newbie with PAM_LDAP (authentication on linux) and OPENLDAP
From: "Imphar AG" <ifs@imphar.com>
Date: Tue, 12 Aug 2003 17:20:40 +0300
Cc: <openldap-software@OpenLDAP.org>
References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAoTMCUkUVIU+EN1lpRTz5FcKAAAAQAAAAJzrDTua3tkiv/r9fpWL95AEAAAAA@e-qual.fr>

*This message was transferred with a trial version of CommuniGate(tm) Pro*
Hi Phillippe,

The best solution is to use NSSwitch....

Hier is my configuration under SuSE :

# ldap.conf
# please restart the name cache daemon after editing this file

# LDAP Server
host    localhost
base    dc=xxxxxx,dc=com
ldap_version    3
scope   sub

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# The credentials to bind with.
# Optional: default is no credential.
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn     cn=YOURDN,dc=xxxxxx,dc=com

# NSS SWITCH (siehe /etc/nss_switch.conf)
# passwd: files ldap
# group:  files ldap
# shadow: files ldap
#
# hosts:  files dns ldap
nss_base_passwd ou=Users,dc=xxxxxx,dc=com?sub
nss_base_shadow ou=Users,dc=xxxxxx,dc=com?sub
nss_base_group  ou=Groups,dc=xxxxxx,dc=com?sub
nss_base_hosts  ou=Computers,dc=xxxxxx,dc=com?sub

# SSL Stuff

#ssl    no
#ssl    start_tls
#tls_cacert      /etc/openldap/cacert.pem

# PAM Stuff
pam_filter      objectclass=posixAccount
pam_login_attribute     uid
pam_member_attribute    memberUid
#pam_crypt      local
pam_password    ssha  #you can use md5 too

If I try the authentication with SSH, I have to set PAM in sshd :

#%PAM-1.0
auth required   pam_unix2.so # set_secrpc
auth required   pam_nologin.so
auth required   pam_env.so
account required        pam_unix2.so
account required        pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session required        pam_unix2.so    none     # trace or debug
session required        pam_limits.so
session required        pam_mkhomedir.so        umask=0022

The pam_unix2.so is a new module using nss_switch.conf !
If you do not have it, try with :
auth pam_ldap.so sufficient
account pam_ldap.so sufficient

Hope it helps you !

frederic

References:
- Newbie with PAM_LDAP (authentication on linux) and OPENLDAP
  - From: "Broussard Philippe" <philippe.broussard@e-qual.fr>

Prev by Date: Re: back_meta fails
Next by Date: Different TLSVerifyClient possible?
Index(es):
- Chronological
- Thread