[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP, part 2

To: luci-discuss@luci.org
Subject: Re: LDAP, part 2
From: Jeff Licquia <jeff@luci.org>
Date: Mon, 29 May 2000 23:16:13 -0500
In-Reply-To: <3932A2B7.83A2B783@jcorey.org>; from john@jcorey.org on Mon, May 29, 2000 at 12:02:47PM -0500
Organization: Linux Users of Central Illinois
References: <3932A2B7.83A2B783@jcorey.org>
Reply-To: luci-discuss@luci.org
Sender: owner-luci-discuss@luci.org
User-Agent: Mutt/1.0.1i


On Mon, May 29, 2000 at 12:02:47PM -0500, John Corey wrote:

> After someone mentioned LDAP a couple weeks ago, I finally decided to
> also look at it.  Now, I've migrated the passwd file into my ldap server
> and modified a couple /etc/pam.d/ files to use it on login (from the
> example ones pam_ldap came with).  I then set it up with some differing
> parameters between /etc/passwd and my user record in the ldap server.
> 
> It does verify my password on login just fine, so I had my hopes up. 
> But once I log in, I am using my shell from /etc/passwd instead of
> ldap's loginshell attribute.

First off, remember that you have to configure glibc's nsswitch
stuff.  Install the libnss-ldap module, and configure
/etc/nsswitch.conf to use it.  (On Debian: "apt-get install
libnss-ldap", then edit /etc/nsswitch.conf and /etc/libnss-ldap.conf
to taste.)

> Here is the pam login file.
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix_auth.so try_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix_acct.so
> password   required     /lib/security/pam_cracklib.so
> password   required     /lib/security/pam_ldap.so
> password   required     /lib/security/pam_pwdb.so use_first_pass
> session    required    
> /lib/security/pam_unix_session.so                                    

That looks pretty good.

> If I read PAM's docs correctly, the account line is where it would pull
> the information, shell, home dir, etc.  I've tried making ldap the only
> one, using "required" instead of sufficient, etc. with no luck.  Does
> anyone know where I might be missing something?

Like say, nsswitch might be required.  I know that when I misconfigure
the nsswitch stuff but properly configure PAM, I can't even log in.

> Also, there was talk about the passwd command.  As I understand it, when
> properly set up, the pam module does the work of changing passwords.  So
> when you tell /etc/pam.d/passwd to use the pam_ldap (or other) module,
> that should change the password on the right service.  So one passwd
> command can handle any number of authentication schemes.  Of course,
> actually doing it isn't so simple.  :)  The ldappasswd command will
> change it on the server, but not sync it with /etc/passwd.

The one thing you want to make sure of is that you're getting the
hashing algorithm you want.  If you're not careful, you could end up
with old-style crypt or (horrors!) plaintext passwords in LDAP.  You
probably would rather have (s)md5 or (s)sha hashing systems.  (The "s"
signifies "salted"; i.e. a salt value is mixed in with the password,
just like crypt does.)

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

Follow-Ups:
- Re: LDAP, part 2
  - From: John Corey <john@jcorey.org>

References:
- LDAP, part 2
  - From: John Corey <john@jcorey.org>

Prev by Date: LDAP, part 2
Next by Date: Re: LDAP, part 2
Prev by thread: LDAP, part 2
Next by thread: Re: LDAP, part 2
Index(es):
- Date
- Thread