[plug] PAM/LDAP

[Patrick Coleman]

On 5/16/06, Padraig MacIain <draoidh at iinet.net.au> wrote:
<snip>

Ok, got it sorted. It is possible to edit nsswitch.conf so that libnss
cannot get user _passwords_ from LDAP, but it can get UID, GID etc.

Before (as jason mentioned) what was happening was that pam_ldap was
failing but pam_unix was suceeding - because for whatever reason
libnss_ldap was ignoring the pam_filter directive in
/etc/libnss_ldap.conf and was passing the LDAP password into pam_unix.
pam_ldap does not appear to ignore this directive, so I have the
following line in /etc/pam_ldap.conf:

pam_filter employeeType=admin

so pam_ldap will only allow LDAP entries that contain that particular attribute.

I then edited /etc/nsswitch.conf and changed the following lines from:

passwd:   ldap files
group:   ldap files
shadow:   ldap files

to:

passwd:   ldap files
group:   ldap files
shadow:   files

This allows libnss_ldap to use LDAP for GID/UID etc, but not for
password authentication, and so prevents it from passing passwords
into pam_unix. You could probably remove the files entry altogether
from shadow and so prevent pam_unix being used at all, but I want to
be able to login as root if the LDAP server fails.

Authentication is then handled by pam_ldap which is above pam_unix in
the PAM auth stack. admin users do not have to be in the local
/etc/passwd database, because pam_ldap will allow them in.

pam_ldap will succeed if the user is an admin in LDAP, and pam_unix
will only succeed if users are in /etc/passwd. As long as no non-admin
user is in /etc/passwd this will work.

My /etc/pam.d/common-auth:

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure use_first_pass

/etc/security/access.conf did work, but I wanted to work out why all
this was broken in the first place :)

Thanks to everyone who replied.

Cheers,
Patrick