zgabe84 at gmail
Nov 24, 2011, 6:58 AM
Post #3 of 4
(265 views)
Permalink
|
Hi,
Thank you for your answer. I am using FreeBSD and pam_radius
authentication. I considered to use pam_ldap but I haven't tried it
yet.
Today I started to configure pam_ldap and nss_ldap. It seems my
computer and LDAP can communicate.
I added the following line to /etc/pam.d/sshd to retrieve account
information and I modified nsswitch too.(passwd: files ldap, group:
files ldap)
account required /usr/local/lib/pam_ldap.so
There is no working synchronization between my node and LDAP. I
recognized that my LDAP scheme does not contain posixAccount and
posixGroup. (I think it can be a problem)
I am not familiar with nss and ldap so my question is what I need
exactly to reach a working synchronization?
Best Regards,
Gábor Zöld
2011/11/23 Iain Morgan <imorgan [at] nas>:
> On Tue, Nov 22, 2011 at 08:57:53 -0600, G?bor Z?ld wrote:
>> Hi,
>>
>> I am working on the following SSH solution and I need some help:
>> 1. User ssh against my node where he/she does not have an account
>> 2. Firstly the node synchronize its user database from a remote db
>> with ldap. (just refresh the database, no authentication here)
>> 3. Authenticate the user with a PAM module
>>
>> I am using my synchronisation script as a PAM module but it seems that
>> the authentication PAM module cannot authenticate the user if user is
>> created in the previous PAM module. (my guess is authctxt contains bad
>> values -> fakepw)
>> Is there any working solution or I have to hack auth1.c in order to do
>> the synchronization before user verification?
>>
>
> This might be a bit easire to answer if you indicated which OS and PAM
> modules you are using. But since you didn't, I'll assume some variant of
> Linux and pam_ldap.
>
> The eszsiest thing would be to use pam_ldap to query LDAP directly for
> the account information. However, I presume you've already considered
> and rejected that approach for some reason.
>
> In our environment, the PAM stack is configured to query LDAP directly.
> For various reasons, we also synchronize /etc/{passwd,shadow,group} with
> LDAP. This is done via a cronjob rather than being triggered by a user
> login attempt.
>
> --
> Iain Morgan
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|
