I had set up gdm with ldap on gentoo linux without any problems using gdm provided with gentoo (not gdm rpm provided with srss). Unfortunately I didn't save my old simple pam config and my current config more complicated but still use ldap to authenticate. 1. It checks user/password again local unix password database. 2. If previous fail, it checks user/password against ldap database. 3. It use pam_mount to save entered password in temporary file to pass it to rdesktop or uttsc, so user can select which session to start in gdm window - gnome/rdesktop/uttsc and need to enter password only once. If ! [ $GDMSESSION == "rdesktop" -o $GDMSESSION == "uttsc" ] ; then this temporary file shredded with script in /etc/X11/xinit/xinitrc.d directory, else it shredded in script starting rdesktop/uttsc. May be not too secure, but works.
$ cat /etc/pam.d/gdm-srss #%PAM-1.0 password include system-auth # BEGIN: added to gdm-srss by SunRay Server Software -- gdm-srss auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 auth sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user ignoreuser auth requisite /opt/SUNWkio/lib/pam_kiosk.so log=user auth required /opt/SUNWut/lib/sunray_get_user.so.1 prompt auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser auth optional pam_env.so auth required pam_nologin.so auth [success=2 default=ignore] pam_unix.so likeauth nullok auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth optional pam_mount.so use_first_pass session required /opt/SUNWkio/lib/pam_kiosk.so log=user session include system-auth session optional pam_mount.so account sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user account include system-auth $ cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account requisite pam_unix.so account sufficient pam_localuser.so account required pam_ldap.so password required pam_cracklib.so difok=2 minlen=7 dcredit=2 ocredit=2 retry=3 #password optional pam_unix.so nullok use_authtok shadow md5 #password sufficient pam_localuser.so password optional pam_ldap.so use_first_pass password sufficient pam_smbpass.so use_first_pass use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0066 session optional pam_ldap.so On Thursday 10 July 2008 18:38, Damon Getsman wrote: > I know I've asked about this before here, and I understand that the > SunRay PAM modules shouldn't interfere with LDAP authentication. > However for some reason that I'm not certain of, my LDAP > authentication stopped working with gdm and ONLY gdm (on the console > as well as a SunRay). By reason of the messages I'm getting with the > pam error from only gdm, I'm thinking that one of the SunRay PAM > modules may be passing an incorrect uid which is thus causing pam to > not be able to search correctly. > > I know it's not SunRay specific, but I've already put down all of the > information that might help with this problem in 2 messages: > http://www.mail-archive.com/[email protected]/msg09781.html > <-- first description of the problem, then > https://listserver.itd.umich.edu/cgi-bin/lyris.pl?visit=ldap&id=374187227 > (or next message) for the added information from when I put a head on > the SRSS server. > > I'd appreciate anything you guys might be able to help me with on > this... I would've pasted all of the information here, but this isn't > directly SunRay related, so I wanted to make sure that it wasn't > wasting too much space if you wanted to skip it. > > Thanks in advance.. > > Damon Getsman > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
