[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dialup authentication

On Sat, 2002-04-20 at 18:14, Robert Threet wrote:
> Maybe I'm putting in the wrong search words or is this
> possible...?  I'd like to have Linux authenticate the
> incoming PPP connections against LDAP (actually, iPlanet
> Directory) on another box.  Has anyone done something like
> this out there or seen the Howto docs?

On most distributions, pppd is compiled with PAM support.  The common
strategy is, therefore, to use PAM to get LDAP support.

First, set up pppd to authenticate against the local password files. 
Most likely, you will want to do PAP auth, not CHAP (and definitely not
MS-CHAP).  That translates to "unencrypted passwords" or "cleartext
passwords" in Windows PPP session settings.

After you have this working properly, add lines like this to
/etc/pam.d/ppp (or whatever your distribution uses for PAM

auth    sufficient    pam_ldap.so
account sufficient    pam_ldap.so
session sufficient    pam_ldap.so

The order of these entries matters, so don't put them in in a block like
this; instead, for each category (auth, account, etc.), make sure that
other entries not labeled "required" come before these, and entries
labeled "required" come after.  

For best results, you really should read the PAM documentation and
understand how these entries are parsed and executed within PAM.  It's
easy to inadvertently turn off your security entirely, or disable
important security checks.  Also, make sure you test everything
sufficiently; you want to make sure both that the right people can get
in and that the wrong people cannot.

The pam_ldap.so module is usually installed by a package that indicates
that it is the PAM LDAP module; in Debian, for instance, it is called
"libpam-ldap".  If you don't have the module on your system, look for a
similarly-named package.

To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.