Re: nslcd (via pam), pam_authz_search and active directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: nslcd (via pam), pam_authz_search and active directory
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: nslcd (via pam), pam_authz_search and active directory
- Date: Tue, 09 Nov 2010 18:43:00 +0100
On Tue, 2010-11-09 at 11:02 -0500, btb@bitrate.net wrote:
> i'm trying to use pam_authz_search, but it appears (at least based on
> the debug output of nslcd) that it is not being used. i'm hoping
> someone can tell me what i'm doing wrong (or what i'm missing).
>
> nslcd.conf and nslcd debug output below.
There are two problems with your configuration. First, you probably want
to include the username match in there (remember, a search like any
other is performed, it is not limited to the user object):
pam_authz_search
(&(objectClass=user)(uid=$username)(memberof=cn=orb2_virtualbox,ou=orb.example.com,ou=service_accounts,dc=example,dc=com))
Second problem is that the PAM authorisation check isn't performed at
all for some reason (if there were a nslcd_pam_authz call should have
been logged). This is most likely a problem with your PAM account stack.
You have to ensure that pam_ldap is included in there somewhere.
You could have something like the following in /etc/pam.d/whatever:
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
Hope this helps.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
