[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
LDAP, part 2
After someone mentioned LDAP a couple weeks ago, I finally decided to
also look at it. Now, I've migrated the passwd file into my ldap server
and modified a couple /etc/pam.d/ files to use it on login (from the
example ones pam_ldap came with). I then set it up with some differing
parameters between /etc/passwd and my user record in the ldap server.
It does verify my password on login just fine, so I had my hopes up.
But once I log in, I am using my shell from /etc/passwd instead of
ldap's loginshell attribute.
Here is the pam login file.
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required
/lib/security/pam_unix_session.so
If I read PAM's docs correctly, the account line is where it would pull
the information, shell, home dir, etc. I've tried making ldap the only
one, using "required" instead of sufficient, etc. with no luck. Does
anyone know where I might be missing something?
Also, there was talk about the passwd command. As I understand it, when
properly set up, the pam module does the work of changing passwords. So
when you tell /etc/pam.d/passwd to use the pam_ldap (or other) module,
that should change the password on the right service. So one passwd
command can handle any number of authentication schemes. Of course,
actually doing it isn't so simple. :) The ldappasswd command will
change it on the server, but not sync it with /etc/passwd.
--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.