|
»
»
»
« Return to Thread: PAM + LDAP authentication without local accounts
PAM + LDAP authentication without local accounts
by BJP
::
Rate this Message:
I have a SLES 9 server running NIS and authenticating against a Solaris LDAP (Sun One Directory Server 5.2. p4) machine. It works fine with local users, but our non-local NIS users cannot login. What is the necessary config for logging *without* a local account in /etc/passwd?
Here is what I have configured so far...
=====================================================
/etc/nsswitch.conf:
passwd: compat
group: compat
passwd_compat: ldap nis files
group_compat: ldap nis files
=====================================================
/etc/security/pam_unix2.conf:
auth: use_ldap nullok
account: use_ldap
password: use_ldap
session: none
=====================================================
/etc/ldap.conf:
host 10.0.42.17:390
base ou=people,ou=intranet,dc=motorola,dc=com
ldap_version 2
nss_map_attribute uniqueMember member
nss_base_passwd ou=people,ou=intranet,dc=motorola,dc=com
nss_base_shadow ou=people,ou=intranet,dc=motorola,dc=com
nss_base_group ou=people,ou=intranet,dc=motorola,dc=com
pam_filter objectclass=person
=====================================================
/etc/pam.d/sshd:
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix2.so use_first_pass # set_secrpc
account required pam_unix2.so
password required pam_pwcheck.so
password required pam_ldap.so use_authtok
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so
session required pam_limits.so
session required pam_env.so
session optional pam_mail.so
=====================================================
/etc/ssh/sshd_config:
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
UsePAM yes
=====================================================
...what is missing?
Thank you,
BJP
Here is what I have configured so far...
=====================================================
/etc/nsswitch.conf:
passwd: compat
group: compat
passwd_compat: ldap nis files
group_compat: ldap nis files
=====================================================
/etc/security/pam_unix2.conf:
auth: use_ldap nullok
account: use_ldap
password: use_ldap
session: none
=====================================================
/etc/ldap.conf:
host 10.0.42.17:390
base ou=people,ou=intranet,dc=motorola,dc=com
ldap_version 2
nss_map_attribute uniqueMember member
nss_base_passwd ou=people,ou=intranet,dc=motorola,dc=com
nss_base_shadow ou=people,ou=intranet,dc=motorola,dc=com
nss_base_group ou=people,ou=intranet,dc=motorola,dc=com
pam_filter objectclass=person
=====================================================
/etc/pam.d/sshd:
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix2.so use_first_pass # set_secrpc
account required pam_unix2.so
password required pam_pwcheck.so
password required pam_ldap.so use_authtok
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so
session required pam_limits.so
session required pam_env.so
session optional pam_mail.so
=====================================================
/etc/ssh/sshd_config:
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
UsePAM yes
=====================================================
...what is missing?
Thank you,
BJP
« Return to Thread: PAM + LDAP authentication without local accounts
| Free Forum Powered by Nabble | Forum Help |