Re: combine pam-usb and pam-ldapd ?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Tim White <weirdit [at] gmail.com>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: combine pam-usb and pam-ldapd ?
Date: Mon, 12 Dec 2011 10:04:32 +0800

On 12/12/11 06:38, Arthur de Jong wrote:

I would really want to have users authenticated by a private key on a
usb stick, with/without a password.

This seems to be what pam-usb does for local users. Do you think it
would be possible to somehow get the pam-usb functionality into
pam-ldapd ?

You can probably do without libpam_ldapd then, just use libnss_ldapd to
provide the user information from LDAP. You could keep libpam_ldapd
around to do authorisation checks (account expiry) or provide a fallback
authentication mechanism, depending on your PAM config.

I don't have any experience with pam_usb so can't comment on that.

Correctly setup, PAM is designed to be modular. So you can for example,use libnss to provide all the passwd/group information, and then usepam_usb to attempt to authenticate, and then failback to libpam_ldapd onfailure. Do some reading into pam (man pam, man pam.conf) and look intorequired and sufficient. 'sufficient' for example allows this module toauthenticate the user, but a failure doesn't deny login if anothermodule authenticates the user successfully. Make sure you do goodtesting though!


Tim
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

combine pam-usb and pam-ldapd ?, Karl Kashofer
- Re: combine pam-usb and pam-ldapd ?, Arthur de Jong
  - Re: combine pam-usb and pam-ldapd ?, Tim White

Prev by Date: Re: combine pam-usb and pam-ldapd ?
Next by Date: Re: combine pam-usb and pam-ldapd ?
Previous by thread: Re: combine pam-usb and pam-ldapd ?
Next by thread: Re: combine pam-usb and pam-ldapd ?