Hi,
I have got users and groups in LDAP and I use it for authentication from several servers. I need users to be able to log into the servers only if they are in "admin" group.
I use pam_ldap.so module for the authentication.
I added these lines into /etc/pam_ldap.conf pam_groupdn cn=admins,ou=Groups,dc=domain,dc=com pam_member_attribute memberUid
And the following line into /etc/pam.d/ssh: account required pam_ldap.so
Basically, this works alright, BUT I have got root account in local databse /etc/passwd and I need root to be able to log in even if he is not in the "admin" group and also if the LDAP server is off. This does not work, because with this setting, the PAM module requires also root to be in the "admin" group and when the LDAP server is off, there is no admin group.
Does anyone know how to set this up?
Thanks,
Peter
On Friday 29 August 2008 11:31:32 Peter V wrote:
Hi,
I have got users and groups in LDAP and I use it for authentication from several servers. I need users to be able to log into the servers only if they are in "admin" group.
I use pam_ldap.so module for the authentication.
I added these lines into /etc/pam_ldap.conf pam_groupdn cn=admins,ou=Groups,dc=domain,dc=com pam_member_attribute memberUid
And the following line into /etc/pam.d/ssh: account required pam_ldap.so
Basically, this works alright, BUT I have got root account in local databse /etc/passwd and I need root to be able to log in even if he is not in the "admin" group and also if the LDAP server is off. This does not work, because with this setting, the PAM module requires also root to be in the "admin" group and when the LDAP server is off, there is no admin group.
Does anyone know how to set this up?
This is a PAM question, not an LDAP question, but the answer is something along the lines of:
account sufficient pam_localuser.so account sufficient pam_ldap.so account required pam_deny.so
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Peter V