Hi, thanks for your reply!
my goal is to authenticate through ldap and to do some specific authorization checks.
for failover i have one account in /etc/passwd in case of a downtime of ldap so that its still possible to login throught local authentication. Further more i have inside of ldap.conf the following:
---
# Group to enforce membership of
pam_groupdn cn=klever,ou=hosts,dc=xxx,dc=xxx,dc=xxx
# Group member attribute
pam_member_attribute uniqueMember
---
this should do authorization and should only allow to login if the account who is login in also exists in 'cn=klever,ou=hosts,dc=xxx,dc=xxx,dc=xxx' with its full DN inside the uniqueMember attribute.
Authentication is already working with AUTH directive inside of /etc/pam.d/sshd.
So i want to allow any user to login if in ACCOUNT the check with pam_ldap is true and the user exists also there or if the user exists inside of /etc/passwd.
First of all -- be clear on where the user record exists. Identify if 'klever' exists both in LDAP and locally, or in only one. You will drive yourself nuts if you don't keep this straight. I suggest creating local- and directory-only test users when hacking on PAM.
this is what i have done.
Secondly, understand what checks happen where. With PADL pam_ldap the only way you can tell most of this is to read the code, sadly. In this case, the various access checks happen in pam_sm_acct_mgmt(), which corresponds to 'account' in pam.conf.
i dont have much C knowledge so this will be very hard.
Because you have specified that the failure of pam_ldap is not fatal to the account stack. The "sufficient" control means: If this module returns success, then stop stack processing and return success to the application. Otherwise continue processing.
Since the access check constitutes a "failure" and "sufficient" effectively ignores failures, you've made the access checks useless. :)
You probably want to set it to "required", but there are a couple of options to mask certain failure modes you may need to set so that you get the proper fallback to local logins. Those options are
ignore_unknown_user ignore_authinfo_unavail
Add thesse to the end of the 'account ..pam_ldap' line.
If you don't want to set the options you can move it below pam_unix, but the control must still be "required" for the appropriate action to be taken. Remember, you need to treat ldap failing as fatal to the stack if you want the access controls to have any effect.
PAM is horrifically compilicated. I just spent 2 months implementing it at my employer and getting the cases right is a bitch. In fact, its still wrong there. :(
I have all combinations tried in the ACCOUNT section but without the special attributes you have written about 'ignore_unknown_user/ignore_authinfo_unavail'.
i will test them, maybe they are the only missing and required things to get this working.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
