Re: nslcd (via pam), pam_authz_search and active directory

["btb [at] bitrate.net" <btb [at] bitrate.net>]

thanks - the problem was me not understanding that pam_authz_search was 
triggered from the account stack.  i was expecting (i'm not sure why) it 
to be called from the auth stack.

the vrdp/pam stuff with virtualbox has been a bit of an enigma to me, 
and i wasn't initially using any account statements in the pam config. 
after adding a properly constructed account stack, it's working just great.

thanks again
-ben

On 2010.11.09 12.43, Arthur de Jong wrote:
> On Tue, 2010-11-09 at 11:02 -0500, btb@bitrate.net wrote:
> > i'm trying to use pam_authz_search, but it appears (at least based on
> > the debug output of nslcd) that it is not being used.  i'm hoping
> > someone can tell me what i'm doing wrong (or what i'm missing).
> >
> > nslcd.conf and nslcd debug output below.
>
> There are two problems with your configuration. First, you probably want
> to include the username match in there (remember, a search like any
> other is performed, it is not limited to the user object):
>
> pam_authz_search 
> (&(objectClass=user)(uid=$username)(memberof=cn=orb2_virtualbox,ou=orb.example.com,ou=service_accounts,dc=example,dc=com))
>
> Second problem is that the PAM authorisation check isn't performed at
> all for some reason (if there were a nslcd_pam_authz call should have
> been logged). This is most likely a problem with your PAM account stack.
> You have to ensure that pam_ldap is included in there somewhere.
>
> You could have something like the following in /etc/pam.d/whatever:
>
> account     required      pam_unix.so
> account     sufficient    pam_succeed_if.so uid<  1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> Hope this helps.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users