[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] [Fwd: Re: OpenLDAP: So close and yet so far]
move the pam_ladp line up one. The line above it will always capture
an event and the ldap line is never called. pam is a sequential
process down the chain.
In fact, if you want to tighten the security, put the pam_deny line
before any "sufficient" lines in auth.
On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com> wrote:
> Jerald -
>
> That line is in there...in fact, let me paste the whole system-auth file:
>
> #%PAM-1.0
>
> auth??????????? required??????? pam_env.so
> auth??????????? sufficient????? pam_unix.so try_first_pass likeauth nullok
> auth??????????? sufficient????? pam_ldap.so use_first_pass
> auth??????????? required??????? pam_deny.so
>
> account???????? required??????? pam_unix.so
> account???????? sufficient????? pam_ldap.so
>
> password??????? required??????? pam_cracklib.so difok=2 minlen=8 dcredit=2
> ocredit=2 try_first_pass retry=3
> password??????? sufficient????? pam_unix.so try_first_pass nullok md5 shadow
> use_authtok
> password??????? sufficient????? pam_ldap.so use_authtok
> password??????? required??????? pam_deny.so
>
> session???????? required??????? pam_limits.so
> session???????? required??????? pam_unix.so
> session???????? optional??????? pam_ldap.so
>
>
>>
>>
>> Also, to let pam know about ldap, look for a line like so:
>>
>> auth??????? sufficient??? pam_ldap.so use_first_pass
>>
>> in /etc/pam.d/system-auth
>>
>> Also, if you want to have home directories automagically made for
>> first-time logins, you need:
>>
>> session???? required????? pam_mkhomedir.so
>
> Cool trick - dunno if I'll use that now but it's good to know.
>
> Thanks,
> Jeff
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
--
--
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness