<quote who="Pixel">
> Buchan Milne <[EMAIL PROTECTED]> writes:
>
>> Note that for the client side, some changes need to be made in drakx
>> for LDAP support to make it work better out-the-box:
>>
>> -use objectclass posixaccount instead of objectclass account
>> (deprecated in openldap-2.1.x, many tools don't add it anyway) in
>> pam_filter in /etc/ldap.conf
This has been done already in nss_ldap package, but I wonder if it is
sensible to fix it in %post. Vince?
>> -put pam_pwdb before pam_ldap in /etc/pam.d/system-auth
Actually, pam_unix is used at present, which I have placed before
pam_ldap. Vince, in your article you mention problems with pam_unix, which
can be solved by using pam_pwdb instead. I however am now using the config
generated by my patched chkauth, with no problems (local and ldap password
changes work via pam_ldap only, su works for local and ldap users, ssh
works for local and ldap users), but I am using a local slave server
without ssl/tls. (Hmmm, at present even ldapsearch is segfaulting on a
stock+updates 9.1 trying with tls to a local or remote tls-capable server
.... will have to investigate).
Anyway, placing pam_unix before pam_ldap in the password lines means at
least local accounts can change their password.
>> -add "ldap" to the automount line of /etc/nsswitch.conf
This is done in the attached patch. It may also be useful to add "ldap" to
the netgroup line, since the latest version (204) of nss_ldap added
support for netgroups, but I have not added it at present, as I have not
used netgroups before. Maybe someone who has used NIS netgroups can test
the LDAP support and make a recommendation?
>> -If NIS or LDAP are used for auth, and NFS is installed, install
>> autofs also
>
I don't think this one can go in chkauth (or should I add it to the list
of required packages - does DrakX use this or not?). And what if people
use NIS/LDAP but not NFS?
> These changes should go in chkauth, a quite ugly script that takes care
> of configuring ldap. I'm not really excited having to modify it, if
> someone want to try, the result will be faster :)
Proposed patches below, I did some cleanups in white-space in the pam
files, so there are two diff's here so you can see what had actual
changes.
Patch without white-space changes:
# diff -uw /usr/sbin/chkauth.orig /usr/sbin/chkauth
--- /usr/sbin/chkauth.orig 2002-08-07 19:46:47.000000000 +0200
+++ /usr/sbin/chkauth 2003-07-06 16:15:08.000000000 +0200
@@ -36,7 +36,7 @@
open (NSSWITCH, "</etc/nsswitch.conf");
open (NEWNSSWITCH, ">/etc/nsswitch.conf.new");
while (<NSSWITCH>) {
- if (my ($cat, $options) = /^(\s*(?:passwd|shadow|group):\s*)(.*)/) {
+ if (my ($cat, $options) =
/^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) {
my @other =
grep { $_ ne $type && $_ ne 'files' } # remove it and 'files'
split(' ', $options);
@@ -70,7 +70,7 @@
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
-password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow use_first_pass
+password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
@@ -85,8 +85,8 @@
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_env.so
-auth sufficient /lib/security/pam_ldap.so
-auth sufficient /lib/security/pam_unix.so likeauth nullok
try_first_pass
+auth sufficient /lib/security/pam_unix.so likeauth nullok
+auth sufficient /lib/security/pam_ldap.so try_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_ldap.so
@@ -94,8 +94,8 @@
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
-password sufficient /lib/security/pam_ldap.so
-password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow use_first_pass
+password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
+password sufficient /lib/security/pam_ldap.so use_first_pass
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
Patch with white-space changes:
# diff -u /usr/sbin/chkauth.orig /usr/sbin/chkauth
--- /usr/sbin/chkauth.orig 2002-08-07 19:46:47.000000000 +0200
+++ /usr/sbin/chkauth 2003-07-06 16:15:08.000000000 +0200
@@ -36,7 +36,7 @@
open (NSSWITCH, "</etc/nsswitch.conf");
open (NEWNSSWITCH, ">/etc/nsswitch.conf.new");
while (<NSSWITCH>) {
- if (my ($cat, $options) = /^(\s*(?:passwd|shadow|group):\s*)(.*)/) {
+ if (my ($cat, $options) =
/^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) {
my @other =
grep { $_ ne $type && $_ ne 'files' } # remove it and 'files'
split(' ', $options);
@@ -70,12 +70,12 @@
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
-password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow use_first_pass
+password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
-session required /lib/security/pam_limits.so
-session sufficient /lib/security/pam_unix.so
-session required /lib/security/pam_deny.so
+session required /lib/security/pam_limits.so
+session sufficient /lib/security/pam_unix.so
+session required /lib/security/pam_deny.so
EOF
;
}
@@ -85,8 +85,8 @@
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_env.so
-auth sufficient /lib/security/pam_ldap.so
-auth sufficient /lib/security/pam_unix.so likeauth nullok
try_first_pass
+auth sufficient /lib/security/pam_unix.so likeauth nullok
+auth sufficient /lib/security/pam_ldap.so try_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_ldap.so
@@ -94,14 +94,14 @@
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
-password sufficient /lib/security/pam_ldap.so
-password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow use_first_pass
+password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
+password sufficient /lib/security/pam_ldap.so use_first_pass
password required /lib/security/pam_deny.so
-session required /lib/security/pam_limits.so
-session sufficient /lib/security/pam_ldap.so
-session sufficient /lib/security/pam_unix.so
-session required /lib/security/pam_deny.so
+session required /lib/security/pam_limits.so
+session sufficient /lib/security/pam_ldap.so
+session sufficient /lib/security/pam_unix.so
+session required /lib/security/pam_deny.so
EOF
;
}
I think it may be feasible to try and get all auth configuration (ie
include winbind stuff) into chkauth without too much trouble, and then it
may be feasible to allow use of the auth gui from DrakX after installation
.... but unless we can use libconf, we would need to place warnings about
manual changes as RH does with authconfig.
Regards,
Buchan
