Pam Authorization Problem
jesk at killall.org
Thu Nov 18 01:05:42 PST 2004
Hi, thanks for your reply!
my goal is to authenticate through ldap and to do some specific
for failover i have one account in /etc/passwd in case of a downtime of
ldap so that its still possible to login throught local authentication.
Further more i have inside of ldap.conf the following:
# Group to enforce membership of
# Group member attribute
this should do authorization and should only allow to login if the account
who is login in also exists in 'cn=klever,ou=hosts,dc=xxx,dc=xxx,dc=xxx'
with its full DN inside the uniqueMember attribute.
Authentication is already working with AUTH directive inside of
So i want to allow any user to login if in ACCOUNT the check with pam_ldap
is true and the user exists also there or if the user exists inside of
> First of all -- be clear on where the user record exists. Identify if
> 'klever' exists both in LDAP and locally, or in only one. You will drive
> yourself nuts if you don't keep this straight. I suggest creating local-
> and directory-only test users when hacking on PAM.
this is what i have done.
> Secondly, understand what checks happen where. With PADL pam_ldap the
> only way you can tell most of this is to read the code, sadly. In this
> case, the various access checks happen in pam_sm_acct_mgmt(), which
> corresponds to 'account' in pam.conf.
i dont have much C knowledge so this will be very hard.
> Because you have specified that the failure of pam_ldap is not fatal to
> the account stack. The "sufficient" control means:
> If this module returns success, then stop stack processing and return
> success to the application. Otherwise continue processing.
> Since the access check constitutes a "failure" and "sufficient"
> effectively ignores failures, you've made the access checks useless. :)
> You probably want to set it to "required", but there are a couple of
> options to mask certain failure modes you may need to set so that you get
> the proper fallback to local logins. Those options are
> Add thesse to the end of the 'account ..pam_ldap' line.
> If you don't want to set the options you can move it below pam_unix, but
> the control must still be "required" for the appropriate action to be
> taken. Remember, you need to treat ldap failing as fatal to the stack if
> you want the access controls to have any effect.
> PAM is horrifically compilicated. I just spent 2 months implementing it at
> my employer and getting the cases right is a bitch. In fact, its still
> wrong there. :(
I have all combinations tried in the ACCOUNT section but without the
special attributes you have written about
i will test them, maybe they are the only missing and required things to
get this working.
More information about the freebsd-stable