On 2008.07.17 10:09:18, [EMAIL PROTECTED] wrote: > I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP > and Samba, I need to make the following file: > > /etc/pam.d/ldap > > which should contain: > > login auth sufficient /usr/local/lib/pam_ldap.so > > Is that all I have to add to the file? I will also need to uncomment the > sshd line in the '/etc/pam.d/other' or else put that line in a new file > that is named 'sshd', if I want to use ssh. > > I am still trying to get a hold of all of this and want to make sure that > I am doing things correctly.
I had this exact question/problem when setting LDAP authentication up for the first time last week. The man pages don't seem all that clear, to me at least, and the pam documentation is vague, when you can find it. Anyway, below are the settings I used to get SSH authentication working. The settings work, but I don't claim they are "correct". $ cat /etc/nsswitch.conf group: files ldap group_compat: nis hosts: files dns passwd: files ldap passwd_compat: nis services: compat services_compat: nis shells: files ldap $ cat /etc/pam.d/sshd # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass I believe, if I read the documentation correctly, you want to add auth sufficient /usr/local/lib/pam_ldap.so to /etc/pam.d/login. That should instruct pam to check ldap at login. Hopefully, people who really know what they are doing will respond. HTH a bit, ~Jason Morgan _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"