[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pam services under LDAP
bluethundr wrote:
> I have created a symlink from /etc/openldap/ldap.conf to
> /etc/ldap.conf... that seems to have gotten the majority of the system
This is a RHEL-based linux system, right? If so, you don't want to do
that. They serve two completely different services.
/etc/openldap/ldap.conf is used by the ldap client command-line tools
(ldapsearch, ldapadd, etc.). And I've confirmed that it's used by the
the name service switch, too. I don't think last part os documented
anywhere.
/etc/ldap.conf is for the pam_ldap module.
If adding that symlink fixed your problem, I think there's something
else wrong with your system.
> communicating with PAM/LDAP. I guess that making a .ldaprc file in the
> users home directory and putting those directives in there would be
> about the equivalent.
>
> The only thing eluding me currently is getting the client to listen to
> sudoers which is currently working thru ldap on the ldap server
> itself.
>
> [root@VIRCENT03:~]#cat /etc/pam.d/sudo
> #%PAM-1.0
> auth include system-auth
> auth required pam_ldap.so
> account include system-auth
> account required pam_ldap.so
> password include system-auth
> password required pam_ldap.so
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session required pam_ldap.so
>
>
> AFAIK the above should get pam_ldap communicating with the LDAP server
> on the behalf of sudoers. the other pam configs (such as sshd and su)
> appear to be getting their info from the system auth which is
> currently communicating with the LDAP server.
>
> Does anyone have any tips on how to get sudoers working through pam /ldap?
>
> thanks!!
>
> On Mon, Nov 8, 2010 at 4:29 PM, Aaron Richton <richton@nbcs.rutgers.edu> wrote:
>> On Mon, 8 Nov 2010, bluethundr wrote:
>>
>>> [root@VIRCENT03:~]#cat /etc/openldap/ldap.conf
>> [...]
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>> sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net
>> I don't believe that "sudoers_base" is a recognized OpenLDAP configuration
>> directive. As such, this line may belong in a file other than
>> "/etc/openldap/ldap.conf" on your system.
>>
>>
>
>
>
--
Prentice