Date: Thu, 17 Jul 2008 13:38:28 -0500 (CDT) From: sgmayo@mail.bloomfield.k12.mo.us To: freebsd-questions@freebsd.org Subject: Re: /etc/pam.d/ldap file question Message-ID: <2265.204.184.27.217.1216319908.squirrel@mail.bloomfield.k12.mo.us> In-Reply-To: <20080717164355.GA15482@sentinelchicken.net> References: <1105.204.184.27.217.1216233869.squirrel@mail.bloomfield.k12.mo.us> <20080716195709.GA19044@dan.emsphone.com> <1672.204.184.27.217.1216304729.squirrel@mail.bloomfield.k12.mo.us> <1761.204.184.27.217.1216307358.squirrel@mail.bloomfield.k12.mo.us> <20080717164355.GA15482@sentinelchicken.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Jason Morgan wrote: > On 2008.07.17 10:09:18, sgmayo@mail.bloomfield.k12.mo.us wrote: >> I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP >> and Samba, I need to make the following file: >> >> /etc/pam.d/ldap >> >> which should contain: >> >> login auth sufficient /usr/local/lib/pam_ldap.so >> >> Is that all I have to add to the file? I will also need to uncomment >> the >> sshd line in the '/etc/pam.d/other' or else put that line in a new file >> that is named 'sshd', if I want to use ssh. >> >> I am still trying to get a hold of all of this and want to make sure >> that >> I am doing things correctly. > > I had this exact question/problem when setting LDAP authentication up > for the first time last week. The man pages don't seem all that clear, > to me at least, and the pam documentation is vague, when you can find > it. Anyway, below are the settings I used to get SSH authentication > working. The settings work, but I don't claim they are "correct". > > $ cat /etc/nsswitch.conf > group: files ldap > group_compat: nis > hosts: files dns > passwd: files ldap > passwd_compat: nis > services: compat > services_compat: nis > shells: files ldap > > $ cat /etc/pam.d/sshd > # auth > #auth sufficient pam_opie.so no_warn no_fake_prompts > #auth requisite pam_opieaccess.so no_warn allow_local > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > auth sufficient /usr/local/lib/pam_ldap.so no_warn > try_first_pass > auth required pam_unix.so no_warn try_first_pass > > I believe, if I read the documentation correctly, you want to add > > auth sufficient /usr/local/lib/pam_ldap.so > > to /etc/pam.d/login. That should instruct pam to check ldap at > login. Hopefully, people who really know what they are doing will > respond. > > HTH a bit, > I found a great article on how to configure PAM. I believe this may be one of the best ones that I have read yet. It explained things very well I thought. You probably have to be registered for linux-mag if you want to read it, but that is free. This is a very good article. It explained the system-auth file also, which is used in Linux, but I don't think that FreeBSD uses that. I was wondering exactly what it did until I read this article. Part I is here http://www.linux-mag.com/id/2105/ Part II is here http://www.linux-mag.com/id/2153 -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2265.204.184.27.217.1216319908.squirrel>