pam: Use LDAP for authentication.

diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account
index 6798301962a745e7d5a8ea9b2f9d26b172eb3cbd..c2e28cb63cfba5a05ecd5a4ac3d131dea167b1b9 100644 (file)
--- a/etc/pam.d/common-account
+++ b/etc/pam.d/common-account
@@ -6,4 +6,12 @@
 # the central access policy for use on the system.  The default is to
 # only deny service to users whose accounts are expired in /etc/shadow.
 #
-account        required        pam_unix.so
+# Default was:
+#account       required        pam_unix.so
+#
+# LDAP config copied from http://wiki.debian.org/LDAP/PAM
+account     required      pam_unix.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account     required      pam_permit.so
+

diff --git a/etc/pam.d/common-auth b/etc/pam.d/common-auth
index 63d129aac9f8a62881d6413fe1b90f43b5423af8..aa0742c2ed46b783663b8dcfb86173f7fcbe08d1 100644 (file)
--- a/etc/pam.d/common-auth
+++ b/etc/pam.d/common-auth
@@ -7,4 +7,12 @@
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
-auth   required        pam_unix.so nullok_secure
+#
+# Default was:
+# auth required        pam_unix.so nullok_secure
+#
+# LDAP config copied from http://wiki.debian.org/LDAP/PAM
+auth    sufficient      pam_unix.so nullok_secure
+auth    requisite       pam_succeed_if.so uid >= 1000 quiet
+auth    sufficient      pam_ldap.so use_first_pass
+auth    required        pam_deny.so

diff --git a/etc/pam.d/common-password b/etc/pam.d/common-password
index 45959eb5afda0d96870e67e9844aff00eed9b2b7..513712b467749b294b8db8a83b1424edc63e83f7 100644 (file)
--- a/etc/pam.d/common-password
+++ b/etc/pam.d/common-password
@@ -21,7 +21,14 @@
 #
 # See the pam_unix manpage for other options.
 
-password   required   pam_unix.so nullok obscure md5
+# Default was:
+# password   required   pam_unix.so nullok obscure md5
+# 
+# LDAP config copied from http://wiki.debian.org/LDAP/PAM, but with use_authtok
+# options removed.
+password    sufficient    pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass
+password    sufficient    pam_ldap.so
+password    required      pam_deny.so
 
 # Alternate strength checking for password. Note that this
 # requires the libpam-cracklib package to be installed.

diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session
index dc11da6d7845c32341f15e0cd84e9f61a523d7b1..c6eb1960182a6be3008e79575fbf1a1890f9879f 100644 (file)
--- a/etc/pam.d/common-session
+++ b/etc/pam.d/common-session
@@ -6,4 +6,13 @@
 # at the start and end of sessions of *any* kind (both interactive and
 # non-interactive).  The default is pam_unix.
 #
-session        required        pam_unix.so
+# Default was:
+#
+# session      required        pam_unix.so
+
+# LDAP config copied from http://wiki.debian.org/LDAP/PAM
+session     required      pam_limits.so
+session     required      pam_unix.so
+session     optional      pam_ldap.so
+
+session     required      pam_mkhomedir.so skel=/etc/skel umask=0022

diff --git a/etc/pam_ldap.conf b/etc/pam_ldap.conf
new file mode 100644 (file)
index 0000000..45d8679
--- /dev/null
+++ b/etc/pam_ldap.conf
@@ -0,0 +1,17 @@
+#
+# See /usr/share/libpam-ldap/ldap.conf for example configuration and more
+# options.
+#
+
+# The distinguished name of the search base.
+base dc=drsnuggles,dc=stderr,dc=nl
+
+# The LDAP server. ldaps:// is secure, ldapi:// is local socket
+uri ldap://ldap.drsnuggles.stderr.nl
+
+# The LDAP version to use
+ldap_version 3
+
+# Use the OpenLDAP exop extended operation to change the password. This allows
+# the server to decide on hashing algorithm, etc.
+pam_password exop