Dear Tony, Thanks for your prompt response.. http://www.linux.com/articles/113567 describes the "sufficient" modifier as follows: If a sufficient module succeeds, it is enough to satisfy the requirements of sufficient modules in that realm for use of the service, and modules below it that are also listed as 'sufficient' are not invoked.
given the following /etc/pam.d/system.auth file: auth
required
/lib/security/$ISA/pam_env.so auth
sufficient
/lib/security/$ISA/pam_unix.so likeauth nullok auth
sufficient
/lib/security/$ISA/pam_ldap.so use_first_pass auth
required
/lib/security/$ISA/pam_deny.so I think LDAP is used ONLY if the unix authentication fails?? right??? am I missing something??? ----- Original Message ---- From: Tony Earnshaw tonni@hetnet.nl To: openldap-technical@openldap.org Sent: Thursday, February 21, 2008 9:58:57 PM Subject: Re: using LDAP as central authentication unit
Hamidreza Hamedtoolloei skrev, on 22-02-2008 03:21:
I've followed one of the online instructions on how to configure my
system to use ldap as the user authentication mechanism. below is
partial content of my /etc/pam.d/system.auth file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth
required
/lib/security/$ISA/pam_env.so
auth
sufficient
/lib/security/$ISA/pam_unix.so likeauth nullok
auth
sufficient
/lib/security/$ISA/pam_ldap.so use_first_pass
auth
required
/lib/security/$ISA/pam_deny.so
looking at some online resources about how pam works, it seems that unix
authentication is being applied first, and only if it fails, ldap
authentication is applied. Am I correct here? In other words if all the
users are still in /etc/shadow and /etc/passd files.... ldap is NOT
being used for authentication. If I delete the users from /etc/passwd...
then LDAP is used.... right>?
No, all the modules will be used, but the way they are treated depends on the modifiers {sufficient,required,requisite} and {use_first_pass,try_first_pass,null} (unless you're using Solaris
=
10 where they've been obsoleted).
Best,
--Tonni
On Friday 22 February 2008 10:49:07 Hamidreza Hamedtoolloei wrote:
I think LDAP is used ONLY if the unix authentication fails?? right??? am I
Yes, with your configuration, the authentication (auth) aspect of PAM will succeed for local users if they supply the correct local password.
Maybe you would prefer to describe what the behaviour is that you would like?
Regards, Buchan
Hamidreza Hamedtoolloei skrev, on 22-02-2008 09:49:
http://www.linux.com/articles/113567 describes the "sufficient" modifier as follows: If a sufficient module succeeds, it is enough to satisfy the requirements of sufficient modules in that realm for use of the service, and modules below it that are also listed as 'sufficient' are not invoked.
given the following /etc/pam.d/system.auth file: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so I think LDAP is used ONLY if the unix authentication fails?? right??? am I missing something???
I don't suppose that, reading the article you quote, you're missing anything, but I've just played around with my test machine's FC6 /etc/pam.d/system-auth and found the following for the auth service:
1: Where a user is in both LDAP and /etc/{passwd,shadow} only the pam_unix.so password counts, even though the position of the pam_unix.so and pam_ldap.so lines is swapped. Changing the LDAP entry's password doesn't make any difference to pam; 2: Where a user is only in LDAP the pam_unix.so auth entry is ignored, whatever its position; 3: Commenting out the pam_unix.so line results in all login attempts by everyone to be invalid. So not even root can log in any longer.
So I'd say that the stuff is far more complicated than the author states. Perhaps people are thinking about the nsswitch.conf entries. However, a recent thread in the pam_ldap mailing list hinted that things might be different for systems on which Padl's CNS pam_ldap library is installed, rather than Red Hat's version - as on my machines.
To avoid completely "missing something" I suggest you try it out for yourself ;)
Best,
--Tonni
openldap-technical@openldap.org
-
Buchan Milne -
Hamidreza Hamedtoolloei -
Tony Earnshaw