From owner-freebsd-isp@FreeBSD.ORG  Thu Oct 16 00:10:30 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D5F5616A4B3
	for <freebsd-isp@freebsd.org>; Thu, 16 Oct 2003 00:10:30 -0700 (PDT)
Received: from mail.gmx.net (pop.gmx.net [213.165.64.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 527FD43FE1
	for <freebsd-isp@freebsd.org>; Thu, 16 Oct 2003 00:10:29 -0700 (PDT)
	(envelope-from morpheus00@gmx.net)
Received: (qmail 11318 invoked by uid 65534); 16 Oct 2003 07:10:28 -0000
Received: from chello062178099185.6.12.univie.teleweb.at (EHLO gmx.net)
	(62.178.99.185)
	by mail.gmx.net (mp002) with SMTP; 16 Oct 2003 09:10:28 +0200
X-Authenticated: #5736527
Date: Thu, 16 Oct 2003 09:10:26 +0200
Mime-Version: 1.0 (Apple Message framework v552)
Content-Type: text/plain; charset=US-ASCII; format=flowed
From: Cai Guo Qiang <morpheus00@gmx.net>
To: freebsd-isp@freebsd.org
Content-Transfer-Encoding: 7bit
Message-Id: <D14437FB-FFA7-11D7-9EB3-000393465302@gmx.net>
X-Mailer: Apple Mail (2.552)
Subject: auth ldap pam
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2003 07:10:30 -0000

hi there,

i've got a problem with the authentication of pam using ldap. well, it 
kind of works, but it seems that all services work not only those,
which are configured in pam.d/ .

example: i configured pam.d/sshd to use the ldap module and all other 
services remained unchanged. now it should be possible
for a user, who's account is stored in the ldap directory, to log into 
the system over sshd. this worked, but the same user id could
also log in using services such as ftp or http.

this should not be possible, because only sshd is supposed to auth 
against ldap directory.

perhaps you have the same problem and can help me.

franz

some configs:

libnss-ldap.conf bzw. pam_ldap.conf:
host 192.168.0.1
base dc=test,dc=com
ldap_version 3
rootbinddn cn=root,dc=test,dc=com
port 389
scope sub

nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap

pam.d/sshd:
auth 		required	pam_ldap.so
account    required     pam_ldap.so
password   required     pam_ldap.so
session    required     pam_ldap.so