[Pkg-openldap-devel] Trying to build a summary on LDAP/Samba/PAM/... strangeness...
Marco Gaiarin
gaio at sv.lnf.it
Tue May 15 12:35:14 UTC 2007
[sorry for the crosspost, but if this stuff is intended primarly for
libpam-ldap mantainer i think that could be of some interest also to
others...]
> b) i still ask to libpam-ldap mantainer to provide a better 'suggested
> configuration': i will try myself to do some experimentation, but f
> someone can at least make a hint...
Quick try, the rationare are: ``use pam_unix for /etc/passwd account,
pam_ldap for others'' lead me to this setup:
auth [success=ignore default=1] pam_localuser.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so try_first_pass
auth required pam_permit.so
Basically i've added pam_localuser.so call to discriminate 'local'
(/etc/passwd) users from other and i've modified use_first_pass in
try_first_pass, because if pam_localuser.so match control pass to
pam_ldap, but there's no password to try. ;)
With this setup i got the pam_unix spurious log only if account exist
in local database and in ldap, perfectly acceptable (indeed because
i've *NO* account in ldap and local databasees O;).
Probably it is not the best solution, so i'm seeking feedback.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
More information about the Pkg-openldap-devel
mailing list