From: root Date: Thu, 25 Sep 2008 10:24:14 +0000 (+0000) Subject: pam: Use LDAP for authentication. X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fservers%2Fdrsnuggles.git;a=commitdiff_plain;h=6729d356bc9bb1c6b0e625fd68d2c4cdc3ed75fa pam: Use LDAP for authentication. --- diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account index 6798301..c2e28cb 100644 --- a/etc/pam.d/common-account +++ b/etc/pam.d/common-account @@ -6,4 +6,12 @@ # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # -account required pam_unix.so +# Default was: +#account required pam_unix.so +# +# LDAP config copied from http://wiki.debian.org/LDAP/PAM +account required pam_unix.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_ldap.so +account required pam_permit.so + diff --git a/etc/pam.d/common-auth b/etc/pam.d/common-auth index 63d129a..aa0742c 100644 --- a/etc/pam.d/common-auth +++ b/etc/pam.d/common-auth @@ -7,4 +7,12 @@ # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # -auth required pam_unix.so nullok_secure +# +# Default was: +# auth required pam_unix.so nullok_secure +# +# LDAP config copied from http://wiki.debian.org/LDAP/PAM +auth sufficient pam_unix.so nullok_secure +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth sufficient pam_ldap.so use_first_pass +auth required pam_deny.so diff --git a/etc/pam.d/common-password b/etc/pam.d/common-password index 45959eb..513712b 100644 --- a/etc/pam.d/common-password +++ b/etc/pam.d/common-password @@ -21,7 +21,14 @@ # # See the pam_unix manpage for other options. -password required pam_unix.so nullok obscure md5 +# Default was: +# password required pam_unix.so nullok obscure md5 +# +# LDAP config copied from http://wiki.debian.org/LDAP/PAM, but with use_authtok +# options removed. +password sufficient pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass +password sufficient pam_ldap.so +password required pam_deny.so # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session index dc11da6..c6eb196 100644 --- a/etc/pam.d/common-session +++ b/etc/pam.d/common-session @@ -6,4 +6,13 @@ # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # -session required pam_unix.so +# Default was: +# +# session required pam_unix.so + +# LDAP config copied from http://wiki.debian.org/LDAP/PAM +session required pam_limits.so +session required pam_unix.so +session optional pam_ldap.so + +session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam_ldap.conf b/etc/pam_ldap.conf new file mode 100644 index 0000000..45d8679 --- /dev/null +++ b/etc/pam_ldap.conf @@ -0,0 +1,17 @@ +# +# See /usr/share/libpam-ldap/ldap.conf for example configuration and more +# options. +# + +# The distinguished name of the search base. +base dc=drsnuggles,dc=stderr,dc=nl + +# The LDAP server. ldaps:// is secure, ldapi:// is local socket +uri ldap://ldap.drsnuggles.stderr.nl + +# The LDAP version to use +ldap_version 3 + +# Use the OpenLDAP exop extended operation to change the password. This allows +# the server to decide on hashing algorithm, etc. +pam_password exop