Re: ssh, pam, and ldap



Richard Ray wrote:
I have configured pam to authenticate ssh via ldap
No problems with that
How can I configure pam/ssh to use ldap for certain accounts only and unix password for other accounts

Running CentOS 5.2

Thanks
Richard Ray


that is controlled with your /etc/nsswitch.conf

passwd files ldap
group files ldap

check if user exists in /etc/passwd 1st, then ldap

so if you have a local account joe and an ldap account joe, it should use local account 1st. if you flip it around passwd ldap files then vs.

to restrict certain ldap groups to logging in you need add "pam_groupdn" to your ldap.conf file.

All these relate to pam & ldap configurations, I am not a pam expert. Test your configs, make sure you didn't allow anyone into your system as root without a passwd. (did that once, glad it was a vm).

HTH,

Jesse Waters



Relevant Pages

  • [NT] Security considerations to keep in mind when using Site Server 3.0
    ... Site Server version 3.0 Commerce Edition ... LDAP_Anonymous user account, which is used by the included LDAP service. ... A valid NT user account is required to upload ...
    (Securiteam)
  • Re: Fedora 14: GDM, sssd and LDAP authentication
    ... With quite a bit of debuggind i found out that for sssd you have to ... domains = LDAP ... account required pam_nologin.so ... account sufficient pam_succeed_if.so uid < 500 quiet ...
    (Fedora)
  • Cannot login as newly created LDAP user
    ... I'm using LDAP for authentication purposes even for the normal Unix ... LDAP server is OpenLDAP 2.3.35, ... now created a new account, and with that account, I cannot login on one ... | passwd: files ldap ...
    (comp.unix.solaris)
  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... Just tried and apparently if a user account is a member of "Domain Power ... Users" then I can query these LDAP attributes. ... While you might upgrade the schema on SBS to v31 note that a SBS R2 ...
    (microsoft.public.windows.server.sbs)
  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... Compatible Access" we were able to query all attributes just fine on SBS. ... You can also modify your setup to allow anonymous LDAP access... ... Just tried and apparently if a user account is a member of "Domain Power ... causing us not to be able to query the UNIX attributes from ...
    (microsoft.public.windows.server.sbs)