Date: Thu, 17 Jul 2008 12:43:56 -0400 From: Jason Morgan <jwm-freebsd-questions@sentinelchicken.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: /etc/pam.d/ldap file question Message-ID: <20080717164355.GA15482@sentinelchicken.net> In-Reply-To: <1761.204.184.27.217.1216307358.squirrel@mail.bloomfield.k12.mo.us> References: <1105.204.184.27.217.1216233869.squirrel@mail.bloomfield.k12.mo.us> <20080716195709.GA19044@dan.emsphone.com> <1672.204.184.27.217.1216304729.squirrel@mail.bloomfield.k12.mo.us> <1761.204.184.27.217.1216307358.squirrel@mail.bloomfield.k12.mo.us>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2008.07.17 10:09:18, sgmayo@mail.bloomfield.k12.mo.us wrote: > I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP > and Samba, I need to make the following file: > > /etc/pam.d/ldap > > which should contain: > > login auth sufficient /usr/local/lib/pam_ldap.so > > Is that all I have to add to the file? I will also need to uncomment the > sshd line in the '/etc/pam.d/other' or else put that line in a new file > that is named 'sshd', if I want to use ssh. > > I am still trying to get a hold of all of this and want to make sure that > I am doing things correctly. I had this exact question/problem when setting LDAP authentication up for the first time last week. The man pages don't seem all that clear, to me at least, and the pam documentation is vague, when you can find it. Anyway, below are the settings I used to get SSH authentication working. The settings work, but I don't claim they are "correct". $ cat /etc/nsswitch.conf group: files ldap group_compat: nis hosts: files dns passwd: files ldap passwd_compat: nis services: compat services_compat: nis shells: files ldap $ cat /etc/pam.d/sshd # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass I believe, if I read the documentation correctly, you want to add auth sufficient /usr/local/lib/pam_ldap.so to /etc/pam.d/login. That should instruct pam to check ldap at login. Hopefully, people who really know what they are doing will respond. HTH a bit, ~Jason Morgan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080717164355.GA15482>