I did run into a few issues in the auth.log which prompted a few questions:
>From the auth.log:
> PAM pam_parse: expecting return value; [...module_unkown=ignore default=die success=done > user_unkown=ignore system_err=ignore service_err=ignore authinfo_unavail=ignore]
Is this due to my syntax being incorrect in pam.d/login?
---------------
> FAILED LOGIN (1) on 'tty1' FOR 'root', Authentication service cannot retrieve authentication info.
I must be able to login as atleast 'root'....does your config limit this option?
-----------------
> pam_ldap: ldap_simple_bind cannot contact LDAP server.
I did a simple bind search against the LDAP server prior to changing my pam.d/login then rebooted...perhaps slapd didn't restart...I'll check that.
Thanks again,
TJ
On Fri, 2004-04-30 at 06:46, Brendon Colby wrote:On Thu, 2004-04-29 at 09:01, Tim Jordan wrote: > I noticed that the common-session is included under the login config. > Although; I can't think of what session would have to do with user > authentication. > > Also, since there is "auth" lines in the login config perhaps I should > include the pam_ldap.so at the top of the login config? > > **I included comments showing how the respective config file is set.** > > Debian Testing /etc/pam.d/login: > auth requisite pam_securetty.so #Disallows root > logins except on tty's.. > auth requisite pam_nologin.so #Disallows other than > root logins when /etc/nologin exist > auth required pam_env.so #Parses > /etc/environment > > @include common-auth #auth required > pam_login.so > @include common-account #account required > pam_login.so > @include common-session #session required > pam_unix.so > > session optional pam_lastlog.so # prints last login info > upon succesful login > session optional pam_motd.so # prints the motd upon > succesful loing > session optional pam_mail.so standard noenv # prints > status of users mbx upon login > > > Is there a "test" that would ensure that pam_ldap.so is being called? > Just looking at the auth.log is not providing much except pam_unix.so > entries. > > Thanks, > Tim Jordan
I just modified /etc/pam.d/login a little:
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_ldap.so
auth required pam_unix.so nullok use_first_pass
account [module_unknown=ignore default=die success=done
user_unknown=ignore \
system_err=ignore service_err=ignore authinfo_unavail=ignore]
\
pam_ldap.so
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
This is off a stock Debian Woody box. Local logins do auth against LDAP.
It works great, unless my LDAP server is unavailable. Then, the box is
locked out. This is why I haven't put this into production yet.
If you want ssh to auth against LDAP, then you have to modify
/etc/pam.d/ssh using the same lines as above.
