/etc/pam.d/ldap file question
sgmayo at mail.bloomfield.k12.mo.us
sgmayo at mail.bloomfield.k12.mo.us
Thu Jul 17 18:37:40 UTC 2008
Jason Morgan wrote:
> On 2008.07.17 10:09:18, sgmayo at mail.bloomfield.k12.mo.us wrote:
>> I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP
>> and Samba, I need to make the following file:
>>
>> /etc/pam.d/ldap
>>
>> which should contain:
>>
>> login auth sufficient /usr/local/lib/pam_ldap.so
>>
>> Is that all I have to add to the file? I will also need to uncomment
>> the
>> sshd line in the '/etc/pam.d/other' or else put that line in a new file
>> that is named 'sshd', if I want to use ssh.
>>
>> I am still trying to get a hold of all of this and want to make sure
>> that
>> I am doing things correctly.
>
> I had this exact question/problem when setting LDAP authentication up
> for the first time last week. The man pages don't seem all that clear,
> to me at least, and the pam documentation is vague, when you can find
> it. Anyway, below are the settings I used to get SSH authentication
> working. The settings work, but I don't claim they are "correct".
>
> $ cat /etc/nsswitch.conf
> group: files ldap
> group_compat: nis
> hosts: files dns
> passwd: files ldap
> passwd_compat: nis
> services: compat
> services_compat: nis
> shells: files ldap
>
> $ cat /etc/pam.d/sshd
> # auth
> #auth sufficient pam_opie.so no_warn no_fake_prompts
> #auth requisite pam_opieaccess.so no_warn allow_local
> #auth sufficient pam_krb5.so no_warn try_first_pass
> #auth sufficient pam_ssh.so no_warn try_first_pass
> auth sufficient /usr/local/lib/pam_ldap.so no_warn
> try_first_pass
> auth required pam_unix.so no_warn try_first_pass
>
> I believe, if I read the documentation correctly, you want to add
>
> auth sufficient /usr/local/lib/pam_ldap.so
>
> to /etc/pam.d/login. That should instruct pam to check ldap at
> login. Hopefully, people who really know what they are doing will
> respond.
>
> HTH a bit,
>
I found a great article on how to configure PAM. I believe this may be
one of the best ones that I have read yet. It explained things very well
I thought. You probably have to be registered for linux-mag if you want
to read it, but that is free. This is a very good article. It explained
the system-auth file also, which is used in Linux, but I don't think that
FreeBSD uses that. I was wondering exactly what it did until I read this
article.
Part I is here
http://www.linux-mag.com/id/2105/
Part II is here
http://www.linux-mag.com/id/2153
--
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669 FA: 573-568-4565
Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?
More information about the freebsd-questions
mailing list