Please find pam-ldap & nssswitch configuration from my Ubuntu10desktop client & Fed12desktop client. I guess it looks fine. Could you review & let me know if you find i've mis-configured or missed out on something?
Thanks Shamika On Thu, Apr 8, 2010 at 11:39 AM, Shamika Joshi <[email protected]>wrote: > Thanks for your continous & prompt help Dieter. I truly appreciate it. > I think I had taken care of pam-ldap & nssswitch configuration before but > I will revisit that part & get back to you. > > Thanks > Shamika > > > On Wed, Apr 7, 2010 at 7:53 PM, Dieter Kluenter <[email protected]>wrote: > >> Am Wed, 7 Apr 2010 15:07:34 +0530 >> schrieb Shamika Joshi <[email protected]>: >> >> > Yes,it shows it correctly. >> > adm...@x6:~$ ldapsearch -xLLL -b >> > cn=u910desk,ou=Machines,dc=testlab,dc=com dn: >> > cn=u910desk,ou=Machines,dc=testlab,dc=com cn: u910desk >> > ipHostNumber: 172.17.5.232 >> > member: cn=placeholder,dc=testlab,dc=com >> > objectClass: top >> > objectClass: groupOfNames >> > objectClass: labeledURIObject >> > objectClass: ipHost >> > labeledURI: >> > ldap://172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)<http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29> >> > >> > >> > search result of ldap:// >> > 172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)<http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29>shows >> > uid=george, which is correct. >> > Should I be doing any more configuration to get to this login >> > restriction working??? >> [...] >> >> If this is really the result you expect, than you should configure pam >> sshd and nsswitch to use this result. >> >> -Dieter >> >> -- >> Dieter Klünter | Systemberatung >> sip: +49.40.20932173 >> http://www.dpunkt.de/buecher/2104.html >> GPG Key ID:8EF7B6C6 >> >> >
password-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so ~ ================================================================================ system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so #session optional pam_keyinit.so revoke session required pam_limits.so #session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_mkhomedir.so skel=/etc/skel/ session required pam_unix.so session optional pam_ldap.so ~ ================================================================================ sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_mkhomedir.so skel=/etc/skel/ session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth ================================================================================ nsswitch.conf # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus
common-auth auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth required pam_group.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so ================================================================================ common-password password sufficient pam_unix.so nullok md5 shadow password sufficient pam_ldap.so use_first_pass password required pam_deny.so ================================================================================ common-account account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so ================================================================================ common-session session required pam_limits.so session required pam_mkhomedir.so skel=/etc/skel/ session required pam_unix.so session optional pam_ldap.so ================================================================================ sshd # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password ~ ================================================================================ # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. # pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files # pre_auth-client-config # netgroup: nis netgroup: files ldap ~
