/etc/pam.d/ldap file question
Jason Morgan
jwm-freebsd-questions at sentinelchicken.net
Thu Jul 17 16:44:24 UTC 2008
On 2008.07.17 10:09:18, sgmayo at mail.bloomfield.k12.mo.us wrote:
> I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP
> and Samba, I need to make the following file:
>
> /etc/pam.d/ldap
>
> which should contain:
>
> login auth sufficient /usr/local/lib/pam_ldap.so
>
> Is that all I have to add to the file? I will also need to uncomment the
> sshd line in the '/etc/pam.d/other' or else put that line in a new file
> that is named 'sshd', if I want to use ssh.
>
> I am still trying to get a hold of all of this and want to make sure that
> I am doing things correctly.
I had this exact question/problem when setting LDAP authentication up
for the first time last week. The man pages don't seem all that clear,
to me at least, and the pam documentation is vague, when you can find
it. Anyway, below are the settings I used to get SSH authentication
working. The settings work, but I don't claim they are "correct".
$ cat /etc/nsswitch.conf
group: files ldap
group_compat: nis
hosts: files dns
passwd: files ldap
passwd_compat: nis
services: compat
services_compat: nis
shells: files ldap
$ cat /etc/pam.d/sshd
# auth
#auth sufficient pam_opie.so no_warn no_fake_prompts
#auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
I believe, if I read the documentation correctly, you want to add
auth sufficient /usr/local/lib/pam_ldap.so
to /etc/pam.d/login. That should instruct pam to check ldap at
login. Hopefully, people who really know what they are doing will
respond.
HTH a bit,
~Jason Morgan
More information about the freebsd-questions
mailing list