On 2008.07.17 10:09:18, [EMAIL PROTECTED] wrote:
> I am wanting to make sure that I have this correct.  Using Pam/NSS/LDAP
> and Samba, I need to make the following file:
> /etc/pam.d/ldap
> which should contain:
> login   auth    sufficient      /usr/local/lib/pam_ldap.so
> Is that all I have to add to the file?  I will also need to uncomment the
> sshd line in the '/etc/pam.d/other' or else put that line in a new file
> that is named 'sshd', if I want to use ssh.
> I am still trying to get a hold of all of this and want to make sure that
> I am doing things correctly.

I had this exact question/problem when setting LDAP authentication up
for the first time last week. The man pages don't seem all that clear,
to me at least, and the pam documentation is vague, when you can find
it. Anyway, below are the settings I used to get SSH authentication
working. The settings work, but I don't claim they are "correct".

$ cat /etc/nsswitch.conf 
group:            files ldap
group_compat:     nis
hosts:            files dns
passwd:           files ldap
passwd_compat:    nis
services:         compat
services_compat:  nis
shells:           files ldap

$ cat /etc/pam.d/sshd 
# auth
#auth           sufficient      pam_opie.so             no_warn no_fake_prompts
#auth           requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn 
auth            required        pam_unix.so             no_warn try_first_pass

I believe, if I read the documentation correctly, you want to add

auth            sufficient      /usr/local/lib/pam_ldap.so

to /etc/pam.d/login. That should instruct pam to check ldap at
login. Hopefully, people who really know what they are doing will

HTH a bit,

~Jason Morgan
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to