Hello, I've followed one of the online instructions on how to configure my system to use ldap as the user authentication mechanism. below is partial content of my /etc/pam.d/system.auth file: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
looking at some online resources about how pam works, it seems that unix authentication is being applied first, and only if it fails, ldap authentication is applied. Am I correct here? In other words if all the users are still in /etc/shadow and /etc/passd files.... ldap is NOT being used for authentication. If I delete the users from /etc/passwd... then LDAP is used.... right>?
thx, ~Hamid
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Hamidreza Hamedtoolloei skrev, on 22-02-2008 03:21:
I've followed one of the online instructions on how to configure my system to use ldap as the user authentication mechanism. below is partial content of my /etc/pam.d/system.auth file: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
looking at some online resources about how pam works, it seems that unix authentication is being applied first, and only if it fails, ldap authentication is applied. Am I correct here? In other words if all the users are still in /etc/shadow and /etc/passd files.... ldap is NOT being used for authentication. If I delete the users from /etc/passwd... then LDAP is used.... right>?
No, all the modules will be used, but the way they are treated depends on the modifiers {sufficient,required,requisite} and {use_first_pass,try_first_pass,null} (unless you're using Solaris >= 10 where they've been obsoleted).
Best,
--Tonni
Tony Earnshaw skrev, on 22-02-2008 06:58:
[...]
No, all the modules will be used, but the way they are treated depends on the modifiers {sufficient,required,requisite} and {use_first_pass,try_first_pass,null} (unless you're using Solaris >= 10 where they've been obsoleted).
s/they've been/the latter have been/g
--Tonni
openldap-technical@openldap.org
-
Hamidreza Hamedtoolloei -
Tony Earnshaw