[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam services under LDAP

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: pam services under LDAP
From: Prentice Bisbal <prentice@ias.edu>
Date: Tue, 09 Nov 2010 10:42:32 -0500
In-reply-to: <AANLkTim_4mj11NJN7TazXx+n8i0dUC+h+2ifHoVU+4Dy@mail.gmail.com>
References: <AANLkTikwHJ+sX4uq9_t2zR600Fi+Use-vB4QXWcuAEw8@mail.gmail.com> <alpine.SOC.2.00.1011081629210.18772@toolbox.rutgers.edu> <AANLkTim_4mj11NJN7TazXx+n8i0dUC+h+2ifHoVU+4Dy@mail.gmail.com>
User-agent: Thunderbird 2.0.0.24 (X11/20101029)

bluethundr wrote:
> I have created a symlink from /etc/openldap/ldap.conf to
> /etc/ldap.conf... that seems to have gotten the majority of the system

This is a RHEL-based linux system, right? If so, you don't want to do
that. They serve two completely different services.

/etc/openldap/ldap.conf is used by the ldap client command-line tools
(ldapsearch, ldapadd, etc.). And I've confirmed that it's used by the
the name service switch, too. I don't think last part os documented
anywhere.

/etc/ldap.conf is for the pam_ldap module.

If adding that symlink fixed your problem, I think there's something
else wrong with your system.


> communicating with PAM/LDAP. I guess that making a .ldaprc file in the
> users home directory and putting those directives in there would be
> about the equivalent.
> 
> The only thing eluding me currently is getting the client to listen to
> sudoers which is currently working thru ldap on the ldap server
> itself.
> 
>  [root@VIRCENT03:~]#cat /etc/pam.d/sudo
> #%PAM-1.0
> auth       include      system-auth
> auth       required     pam_ldap.so
> account    include      system-auth
> account    required     pam_ldap.so
> password   include      system-auth
> password   required     pam_ldap.so
> session    optional     pam_keyinit.so revoke
> session    required     pam_limits.so
> session    required     pam_ldap.so
> 
> 
> AFAIK the above should get pam_ldap communicating with the LDAP server
> on the behalf of sudoers. the other pam configs (such as sshd and su)
> appear to be getting their info from the system auth which is
> currently communicating with the LDAP server.
> 
> Does anyone have any tips on how to get sudoers working through pam /ldap?
> 
> thanks!!
> 
> On Mon, Nov 8, 2010 at 4:29 PM, Aaron Richton <richton@nbcs.rutgers.edu> wrote:
>> On Mon, 8 Nov 2010, bluethundr wrote:
>>
>>> [root@VIRCENT03:~]#cat /etc/openldap/ldap.conf
>> [...]
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>> sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net
>> I don't believe that "sudoers_base" is a recognized OpenLDAP configuration
>> directive. As such, this line may belong in a file other than
>> "/etc/openldap/ldap.conf" on your system.
>>
>>
> 
> 
> 

-- 
Prentice

References:
- pam services under LDAP
  - From: bluethundr <bluethundr@gmail.com>
- Re: pam services under LDAP
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: pam services under LDAP
  - From: bluethundr <bluethundr@gmail.com>

Prev by Date: Re: pamL-dap configuration guide
Next by Date: Re: Is ldap_bind() mandatory before each ldap_search() call?
Index(es):
- Chronological
- Thread