[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using LDAP as central authentication unit



Dear Tony,
Thanks for your prompt response..
http://www.linux.com/articles/113567 describes the "sufficient" modifier as follows:
If a sufficient module succeeds, it is enough to satisfy the requirements of sufficient modules in that realm for use of the service, and modules below it that are also listed as 'sufficient' are not invoked.

given the following /etc/pam.d/system.auth file:
 auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
 auth        required      /lib/security/$ISA/pam_deny.so
I think LDAP is used ONLY if the unix authentication fails?? right??? am I missing something???
----- Original Message ----
From: Tony Earnshaw <tonni@hetnet.nl>
To: openldap-technical@openldap.org
Sent: Thursday, February 21, 2008 9:58:57 PM
Subject: Re: using LDAP as central authentication unit

Hamidreza Hamedtoolloei skrev, on 22-02-2008 03:21:

> I've followed one of the online instructions on how to configure my
> system to use ldap as the user authentication mechanism. below is
> partial  content of my /etc/pam.d/system.auth file:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>
> looking at some online resources about how pam works, it seems that unix
> authentication is being applied first, and only if it fails, ldap
> authentication is applied. Am I correct here? In other words if all the
> users are still in /etc/shadow and /etc/passd files.... ldap is NOT
> being used for authentication. If I delete the users from /etc/passwd...
> then LDAP is used.... right>?

No, all the modules will be used, but the way they are treated depends
on the modifiers {sufficient,required,requisite} and
{use_first_pass,try_first_pass,null} (unless you're using Solaris >= 10
where they've been obsoleted).

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl



Never miss a thing. Make Yahoo your homepage.