Tweak your PAM stacks. Put pam_ldap.so first for all mgmt types, then make it "sufficient". Leave the rest of the PAM stack in place. Trim down /etc/passwd and friends to only those uids you want to permit to login thru pam_unix2.so.
Read up on PAM (man 8 pam, and a bunch of documentation that should have
come with your distro) ... there may be side effects to this that you
don't want, and there are options you may wish to use to further refine
LDAP vs other login processing types.
--Jim--
James S. Tison
Senior Software Engineer
TPF Laboratory / Architecture
IBM Corporation
"Backup my hard drive? How do I put it into reverse?"
James Melin <[EMAIL PROTECTED]>
Sent by: Linux on 390 Port <[EMAIL PROTECTED]>
21-04-04 11:11
Please respond to
Linux on 390 Port
To
[EMAIL PROTECTED]
cc
Subject
Re: /etc/passwd and /etc/shadow - synchronized on multiple images
Ahh, there's the rub... how do you set up linux so users authenticate
against LDAP but root, db2inst1, da1usr, snort, squid and so on, do not.
"Post, Mark K"
<[EMAIL PROTECTED]
m> To
Sent by: Linux on [EMAIL PROTECTED]
390 Port cc
<[EMAIL PROTECTED]
IST.EDU> Subject
Re: /etc/passwd and /etc/shadow -
synchronized on multiple images
04/21/2004 10:07
AM
Please respond to
Linux on 390 Port
<[EMAIL PROTECTED]
IST.EDU>
James,
Are you talking about system administrator accounts, or user accounts? As
Thomas said, using LDAP, with or without Kerberos, etc., would be a good
idea, but _not_ for those accounts that need to be able to login to fix
problems with those kinds of tools. You won't be happy if LDAP isn't
working, and you can't login to fix it, because both your account and the
root account need LDAP to be available.
Keeping things consistent across images for those so-called "local"
accounts
isn't particularly easy, when done manually, but I'm not aware of any
good,
free, tools to do that. What I've done, when creating new images, is copy
the parts of /etc/passwd and /etc/shadow that have UIDs for real people to
the new system, append it to the production copies, and then run a script
that copies their existing home directories from a "source" system, and
then
does a "chown -R " on it.
Mark Post
-----Original Message-----
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
James
Melin
Sent: Wednesday, April 21, 2004 9:24 AM
To: [EMAIL PROTECTED]
Subject: /etc/passwd and /etc/shadow - synchronized on multiple images
What is the best method to duplicate the user list, GID/UID assignments
for
users on multiple Linux guests and keep them consistent?
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions, send
email
to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
smime.p7s
Description: S/MIME Cryptographic Signature
