Re: /etc/pam.d/ldap file question
Jason Morgan wrote: > On 2008.07.17 10:09:18, [EMAIL PROTECTED] wrote: >> I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP >> and Samba, I need to make the following file: >> >> /etc/pam.d/ldap >> >> which should contain: >> >> login authsufficient /usr/local/lib/pam_ldap.so >> >> Is that all I have to add to the file? I will also need to uncomment >> the >> sshd line in the '/etc/pam.d/other' or else put that line in a new file >> that is named 'sshd', if I want to use ssh. >> >> I am still trying to get a hold of all of this and want to make sure >> that >> I am doing things correctly. > > I had this exact question/problem when setting LDAP authentication up > for the first time last week. The man pages don't seem all that clear, > to me at least, and the pam documentation is vague, when you can find > it. Anyway, below are the settings I used to get SSH authentication > working. The settings work, but I don't claim they are "correct". > > $ cat /etc/nsswitch.conf > group:files ldap > group_compat: nis > hosts:files dns > passwd: files ldap > passwd_compat:nis > services: compat > services_compat: nis > shells: files ldap > > $ cat /etc/pam.d/sshd > # auth > #auth sufficient pam_opie.so no_warn no_fake_prompts > #auth requisite pam_opieaccess.so no_warn allow_local > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > authsufficient /usr/local/lib/pam_ldap.so no_warn > try_first_pass > auth requiredpam_unix.so no_warn try_first_pass > > I believe, if I read the documentation correctly, you want to add > > authsufficient /usr/local/lib/pam_ldap.so > > to /etc/pam.d/login. That should instruct pam to check ldap at > login. Hopefully, people who really know what they are doing will > respond. > > HTH a bit, > I found a great article on how to configure PAM. I believe this may be one of the best ones that I have read yet. It explained things very well I thought. You probably have to be registered for linux-mag if you want to read it, but that is free. This is a very good article. It explained the system-auth file also, which is used in Linux, but I don't think that FreeBSD uses that. I was wondering exactly what it did until I read this article. Part I is here http://www.linux-mag.com/id/2105/ Part II is here http://www.linux-mag.com/id/2153 -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: /etc/pam.d/ldap file question
On 2008.07.17 10:09:18, [EMAIL PROTECTED] wrote: > I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP > and Samba, I need to make the following file: > > /etc/pam.d/ldap > > which should contain: > > login authsufficient /usr/local/lib/pam_ldap.so > > Is that all I have to add to the file? I will also need to uncomment the > sshd line in the '/etc/pam.d/other' or else put that line in a new file > that is named 'sshd', if I want to use ssh. > > I am still trying to get a hold of all of this and want to make sure that > I am doing things correctly. I had this exact question/problem when setting LDAP authentication up for the first time last week. The man pages don't seem all that clear, to me at least, and the pam documentation is vague, when you can find it. Anyway, below are the settings I used to get SSH authentication working. The settings work, but I don't claim they are "correct". $ cat /etc/nsswitch.conf group:files ldap group_compat: nis hosts:files dns passwd: files ldap passwd_compat:nis services: compat services_compat: nis shells: files ldap $ cat /etc/pam.d/sshd # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass I believe, if I read the documentation correctly, you want to add authsufficient /usr/local/lib/pam_ldap.so to /etc/pam.d/login. That should instruct pam to check ldap at login. Hopefully, people who really know what they are doing will respond. HTH a bit, ~Jason Morgan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
/etc/pam.d/ldap file question
I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP and Samba, I need to make the following file: /etc/pam.d/ldap which should contain: login authsufficient /usr/local/lib/pam_ldap.so Is that all I have to add to the file? I will also need to uncomment the sshd line in the '/etc/pam.d/other' or else put that line in a new file that is named 'sshd', if I want to use ssh. I am still trying to get a hold of all of this and want to make sure that I am doing things correctly. Thanks for any help. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
