| 1 |
I have solved this issue late last night. I took my inspiration from fedora, who has a really nice automatic tool for adding ldap servers, and i looked at their changes. The issue was that pam_unix was set as required, not sufficient / optional. I also found that in fedora they do includes in their pam, and my setup did not have it so you need to modify the correct module for the system, you are using. Find below my corrected pam config, and i will do a write up of this process. |
| 2 |
|
| 3 |
I have also found that when the user logs in it takes a long tine for commands to execute, and in this time it sends alot of requests to the slapd server, using anonymous binds. Any idea how i make anonymous binds return attrs such as groupUid etc? |
| 4 |
|
| 5 |
On 05/05/2010, at 7:00 AM, Daniel Troeder wrote: |
| 6 |
|
| 7 |
>> |
| 8 |
>> # auth |
| 9 |
>> auth sufficient pam_opie.so no_warn no_fake_prompts |
| 10 |
>> auth requisite pam_opieaccess.so no_warn allow_local |
| 11 |
>> #auth sufficient pam_krb5.so no_warn try_first_pass |
| 12 |
>> #auth sufficient pam_ssh.so no_warn try_first_pass |
| 13 |
>> auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass |
| 14 |
>> auth sufficient pam_unix.so no_warn try_first_pass |
| 15 |
>> |
| 16 |
>> # account |
| 17 |
>> account required pam_nologin.so |
| 18 |
>> #account required pam_krb5.so |
| 19 |
>> account required pam_login_access.so |
| 20 |
>> account sufficient pam_unix.so |
| 21 |
>> account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user |
| 22 |
>> |
| 23 |
>> # session |
| 24 |
>> #session optional pam_ssh.so |
| 25 |
>> session required pam_permit.so |
| 26 |
session optional /usr/local/lib/pam_ldap.so |
| 27 |
|
| 28 |
>> |
| 29 |
>> # password |
| 30 |
>> #password sufficient pam_krb5.so no_warn try_first_pass |
| 31 |
>> password sufficient pam_unix.so no_warn try_first_pass |
| 32 |
password sufficient /usr/lib/local/pam_ldap.so |
| 33 |
> |
Archives