[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pam_ldap and login
Johnny Casey wrote:
>
> You are missing "use_authtok".
My copy of the pam docs mentions use_authtok, but not what it actually
does. This situation seems to be repeated at:-
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/
What does this flag mean? Is there any complete documentation availabe
for PAM. An awful lot of postings about it seem to indicate that most
people get by with trial and error due to lack of any docs.
> About the above, I would probably have pam_unix before pam_ldap. What
> order you have the two (pam_ldap and pam_unix) should be the same for
> account/auth/password.
>
> It might also be good to specify which Linux distribution and what
> version you are using next time...
Debian Woody.
I've now got this in /etc/pam.d/passwd:-
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password sufficient pam_unix.so nullok use_authtok obscure min=4
max=8 md5 shadow
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
Which doesn't work for users or root, so at least I've got consistency....
People have also suggested pam_localuser.so, but debian doesn't ship
with it, and there doesn't appear to be any obvious source to get it. I
could pick up a binary from an RPM. but I want a maintainable system...
Mike.