[plug] PAM/LDAP
Patrick Coleman
blinken at gmail.com
Tue May 16 14:59:47 WST 2006
On 5/16/06, Jason Nicholls <jason at mindsocket.com.au> wrote:
> > There are various options in /etc/pam_ldap.conf that look like they do
> > exactly what I want - pam_filter, pam_check_host_attr and pam_groupdn
> > - but none of these appears to do anything. I'm thinking that perhaps
> > it may be something to do with my /etc/pam.d config.
> >
> > Has anyone done a similar sort of setup? I might also try the openldap
> > mailing lists, and I'll post here if I get any solutions.
>
> Are these boxes also configured to do nss_ldap?
Yes, they are.
> in which case it my be
> failing pam_ldap but succeeding nss_ldap (pam_unix) anyway. Just remove
> the ldap entries in /etc/nsswitch.conf if so.
I think that could be correct - here's /var/log/auth.log:
May 16 14:56:00 localhost sshd[26069]: Accepted
keyboard-interactive/pam for user from ::ffff:10.0.0.4 port 2593 ssh2
May 16 14:56:00 localhost sshd[26070]: Accepted
keyboard-interactive/pam for user from ::ffff:10.0.0.4 port 2593 ssh2
May 16 14:56:00 localhost sshd[26072]: (pam_unix) session opened for
user user by (uid=0)
May 16 14:56:00 localhost sshd[26069]: nss_ldap: reconnecting to LDAP server...
May 16 14:56:00 localhost sshd[26069]: nss_ldap: reconnected to LDAP
server after 1 attempt(s)
Only problem is I need nss-ldap as the NFS server handles quotas for
users and so needs to know uid->username mappings. libnss-ldap.conf
has similar options to pam_ldap.conf, but they appear to do nothing.
It looks like pam-ldap was working, just nss was taking over as you
said.
> You might also be able to use /etc/security/access.conf as a workaround.
I'll have a look.
Cheers,
Patrick
More information about the plug
mailing list