/etc/pam.d/ldap file question

sgmayo at mail.bloomfield.k12.mo.us sgmayo at mail.bloomfield.k12.mo.us
Thu Jul 17 18:37:40 UTC 2008 

Jason Morgan wrote:
> On 2008.07.17 10:09:18, sgmayo at mail.bloomfield.k12.mo.us wrote:
>> I am wanting to make sure that I have this correct.  Using Pam/NSS/LDAP
>> and Samba, I need to make the following file:
>>
>> /etc/pam.d/ldap
>>
>> which should contain:
>>
>> login   auth    sufficient      /usr/local/lib/pam_ldap.so
>>
>> Is that all I have to add to the file?  I will also need to uncomment
>> the
>> sshd line in the '/etc/pam.d/other' or else put that line in a new file
>> that is named 'sshd', if I want to use ssh.
>>
>> I am still trying to get a hold of all of this and want to make sure
>> that
>> I am doing things correctly.
>
> I had this exact question/problem when setting LDAP authentication up
> for the first time last week. The man pages don't seem all that clear,
> to me at least, and the pam documentation is vague, when you can find
> it. Anyway, below are the settings I used to get SSH authentication
> working. The settings work, but I don't claim they are "correct".
>
> $ cat /etc/nsswitch.conf
> group:            files ldap
> group_compat:     nis
> hosts:            files dns
> passwd:           files ldap
> passwd_compat:    nis
> services:         compat
> services_compat:  nis
> shells:           files ldap
>
> $ cat /etc/pam.d/sshd
> # auth
> #auth		sufficient	pam_opie.so		no_warn no_fake_prompts
> #auth		requisite	pam_opieaccess.so	no_warn allow_local
> #auth		sufficient	pam_krb5.so		no_warn try_first_pass
> #auth		sufficient	pam_ssh.so		no_warn try_first_pass
> auth            sufficient      /usr/local/lib/pam_ldap.so no_warn
> try_first_pass
> auth		required	pam_unix.so		no_warn try_first_pass
>
> I believe, if I read the documentation correctly, you want to add
>
> auth            sufficient      /usr/local/lib/pam_ldap.so
>
> to /etc/pam.d/login. That should instruct pam to check ldap at
> login. Hopefully, people who really know what they are doing will
> respond.
>
> HTH a bit,
>

I found a great article on how to configure PAM.  I believe this may be
one of the best ones that I have read yet.  It explained things very well
I thought.  You probably have to be registered for linux-mag if you want
to read it, but that is free.  This is a very good article.  It explained
the system-auth file also, which is used in Linux, but I don't think that
FreeBSD uses that.  I was wondering exactly what it did until I read this
article.

Part I is here
http://www.linux-mag.com/id/2105/

Part II is here
http://www.linux-mag.com/id/2153

-- 
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669  FA: 573-568-4565

Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?

More information about the freebsd-questions mailing list