| SheldonPlankton |
04-28-2005 01:11 PM |
pam.d/system-auth and LDAP?
Hi,
I want to be able to authenicate users against my LDAP server on my RedHat systems. Or more direct to the point I want the LDAP server to
verify user's passwords, and I want user's to get account information like
(shell, and home dir) from the old /etc/passwd file.
I figured I need to muck around with /etc/pam.d/system-auth file that
was modified by authconfig.
authconfig left my /etc/pam.d/system-auth file looking like
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_env.so use_first_pass
auth required /lib/security/$ISA/pam_env.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknow=ignore service_err=ignore system_err=ignore] require /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_ldap.so
With this system-auth I would get shell and home dir info from LDAP.
The password in my /etc/shadow was no longer being user and
I had to use the password I stored in LDAP.
This is not what I wanted. So I changed my system-auth by hand to this ...
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_env.so use_first_pass
auth required /lib/security/$ISA/pam_env.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Now I get user shell and home dir from /etc/passwd and not ldap, but I am able to log in with the password I stored in LDAP and the password I stored in my /etc/shadow ???
A little help please :) |
