From 6729d356bc9bb1c6b0e625fd68d2c4cdc3ed75fa Mon Sep 17 00:00:00 2001 From: root Date: Thu, 25 Sep 2008 10:24:14 +0000 Subject: [PATCH] pam: Use LDAP for authentication. --- etc/pam.d/common-account | 10 +++++++++- etc/pam.d/common-auth | 10 +++++++++- etc/pam.d/common-password | 9 ++++++++- etc/pam.d/common-session | 11 ++++++++++- etc/pam_ldap.conf | 17 +++++++++++++++++ 5 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 etc/pam_ldap.conf diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account index 6798301..c2e28cb 100644 --- a/etc/pam.d/common-account +++ b/etc/pam.d/common-account @@ -6,4 +6,12 @@ # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # -account required pam_unix.so +# Default was: +#account required pam_unix.so +# +# LDAP config copied from http://wiki.debian.org/LDAP/PAM +account required pam_unix.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_ldap.so +account required pam_permit.so + diff --git a/etc/pam.d/common-auth b/etc/pam.d/common-auth index 63d129a..aa0742c 100644 --- a/etc/pam.d/common-auth +++ b/etc/pam.d/common-auth @@ -7,4 +7,12 @@ # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # -auth required pam_unix.so nullok_secure +# +# Default was: +# auth required pam_unix.so nullok_secure +# +# LDAP config copied from http://wiki.debian.org/LDAP/PAM +auth sufficient pam_unix.so nullok_secure +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth sufficient pam_ldap.so use_first_pass +auth required pam_deny.so diff --git a/etc/pam.d/common-password b/etc/pam.d/common-password index 45959eb..513712b 100644 --- a/etc/pam.d/common-password +++ b/etc/pam.d/common-password @@ -21,7 +21,14 @@ # # See the pam_unix manpage for other options. -password required pam_unix.so nullok obscure md5 +# Default was: +# password required pam_unix.so nullok obscure md5 +# +# LDAP config copied from http://wiki.debian.org/LDAP/PAM, but with use_authtok +# options removed. +password sufficient pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass +password sufficient pam_ldap.so +password required pam_deny.so # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session index dc11da6..c6eb196 100644 --- a/etc/pam.d/common-session +++ b/etc/pam.d/common-session @@ -6,4 +6,13 @@ # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # -session required pam_unix.so +# Default was: +# +# session required pam_unix.so + +# LDAP config copied from http://wiki.debian.org/LDAP/PAM +session required pam_limits.so +session required pam_unix.so +session optional pam_ldap.so + +session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam_ldap.conf b/etc/pam_ldap.conf new file mode 100644 index 0000000..45d8679 --- /dev/null +++ b/etc/pam_ldap.conf @@ -0,0 +1,17 @@ +# +# See /usr/share/libpam-ldap/ldap.conf for example configuration and more +# options. +# + +# The distinguished name of the search base. +base dc=drsnuggles,dc=stderr,dc=nl + +# The LDAP server. ldaps:// is secure, ldapi:// is local socket +uri ldap://ldap.drsnuggles.stderr.nl + +# The LDAP version to use +ldap_version 3 + +# Use the OpenLDAP exop extended operation to change the password. This allows +# the server to decide on hashing algorithm, etc. +pam_password exop -- 2.30.2