[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ssh -> pam_ldap -> openldap -> sasl -> pam_radius
I know it sounds crazy but it actually almost works now. I have tested
using ldapsearch a query against the ldap sever (and using
testsaslauthd) and it successfully talks to sasl , in which saslauthd
uses pam (running as saslauthd -a pam reading /etc/pam.d/ldap) which is
configured to talk pam_radius.so to a radius server for authentication.
So the latter half of this works. The problem i have is between
ssh->pam->pam_ldap.
The problem i am having is that if there is no local account on the
box, ssh never uses pam_ldap to try and authenticate the user against
ldap server and pull out all the Posix account info for login. Any help
would be appreciated, here are my config files. This is on a redhat 8.0
linux box btw.
/etc/pam.d/sshd
-----------------------------
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so debug
auth required /lib/security/pam_unix.so shadow nullok
use_first_pass
account sufficient /lib/security/pam_ldap.so debug
account required /lib/security/pam_unix.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix.so nullok use_authok
shadow
session required /lib/security/pam_unix.so
session optional /lib/security/pam_console.so
/etc/ldap.conf
-----------------
host 127.0.0.1
base dc=domain,dc=com
uri ldap://127.0.0.1/
ldap_version 3
ssl start_tls
tls_checkpeer no
SASL_SECPROPS none
/usr/local/etc/openldap/slapd.conf
-------------------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
access to dn=".*,dc=domain,dc=com" attr=userPassword
by self write
by * auth
access to dn=".*,dc=domain,dc=com"
by * read
sasl-secprops none
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"
index objectClass eq
TLSCertificateFile /usr/local/etc/openldap/certs/slapdcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/slapdkey.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2
/usr/lib/sasl2/slapd.conf
-------------------------
pwcheck_method: saslauthd
any help would be greatly appreciated.
thanks
adam