From: Eugene Prokopiev <john@rmts.donpac.ru>
To: community@altlinux.ru
Subject: [Comm] Авторизация из /etc/passwd и ldap одновременно: как правильно?
Date: Mon, 19 Apr 2004 11:08:51 +0400
Message-ID: <40837B03.4040403@rmts.donpac.ru> (raw)
Здравствуйте!
Как сделать так, чтобы в системе могли авторизоваться пользователи,
прописанные как в /etc/passwd, так и в ldap?
On Saturday 17 April 2004 12:58 Denis S. Filimonov поделился своими
рабочими конфигами:
system-auth:
#%PAM-1.0
auth required /lib/security/pam_ldap.so
#auth required /lib/security/pam_tcb.so shadow fork nullok
account required /lib/security/pam_access.so
account required /lib/security/pam_ldap.so
#account required /lib/security/pam_tcb.so shadow fork
password required /lib/security/pam_ldap.so
#password required /lib/security/pam_passwdqc.so
min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny
random=42 enforce=users retry=3
#password required /lib/security/pam_tcb.so use_authtok
shadow fork prefix=$2a$ count=8 write_to=tcb
#session required /lib/security/pam_tcb.so
session required /lib/security/pam_limits.so
system-auth-use_first_pass:
#%PAM-1.0
auth required /lib/security/pam_ldap.so use_first_pass
#auth required /lib/security/pam_tcb.so shadow fork
nullok use_first_pass
password required /lib/security/pam_ldap.so
#password required /lib/security/pam_tcb.so use_authtok
shadow fork prefix=$2a$ count=8 write_to=tcb
Насколько я понял, в таком варианте используется только ldap. Мне же
нужно сохранить и то, что было, добавив пользователей из ldap. Написал
следующее:
system-auth:
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_tcb.so shadow fork
prefix=$2a$ count=8 nullok
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_tcb.so shadow fork
password required /lib/security/pam_passwdqc.so
min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny
random=42 enforce=users retry=3
password required /lib/security/pam_tcb.so use_authtok
shadow fork prefix=$2a$ count=8 write_to=tcb
session required /lib/security/pam_tcb.so
session required /lib/security/pam_limits.so
system-auth-use_first_pass:
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_tcb.so shadow fork
prefix=$2a$ count=8 nullok use_first_pass
password required /lib/security/pam_tcb.so use_authtok
shadow fork prefix=$2a$ count=8 write_to=tcb
Т.е. просто для методов авторизации auth и account добавил sufficient
/lib/security/pam_ldap.so
После этого получилось следующее:
1. По ssh все равно пускают только пользователей из /etc/passwd,
пользователей из ldap посылают подальше со следующими словами:
Apr 19 10:51:09 john-ws pam_tcb[2060]: sshd: Authentication failed for
vasya from (uid=0)
Apr 19 10:51:11 john-ws sshd[2061]: Failed password for vasya from
192.168.46.2 port 4631
2. su - могут использовать как ldap, так и /etc/passwd-пользователи, но
для su - ldap-user пароль надо вводить один раз, а для su - passwd-user
необходимо вводить пароль дважды:
[john@john-ws john]$ su - john
Password:
Password:
[john@john-ws john]$ su - vasya
Password:
-bash-2.05b$
sshd выглядит так:
#%PAM-1.0
auth required /lib/security/pam_userpass.so
auth required /lib/security/pam_stack.so
service=system-auth-use_first_pass
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so
service=system-auth
session required /lib/security/pam_stack.so service=system-auth
su выглядит так:
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient /lib/security/pam_wheel.so debug use_uid
group=wheel trust
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/pam_wheel.so debug use_uid group=wheel
# Uncomment the following line to implicitly trust users with same user id.
#auth sufficient /lib/security/pam_sameuid.so debug
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_deny.so
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
я их не правил.
Что я сделал неправильно и как сделать правильно?
--
С уважением, Прокопьев Евгений
next reply other threads:[~2004-04-19 7:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-19 7:08 Eugene Prokopiev [this message]
2004-04-19 9:15 ` Nick S. Grechukh
2004-04-19 9:36 ` Eugene Prokopiev
2004-04-19 11:46 ` iLya Bryzgalow
2004-04-19 9:47 ` Eugene Prokopiev
2004-04-19 11:00 ` Nick S. Grechukh
2004-04-19 10:35 ` Denis S. Filimonov
2004-04-19 11:45 ` Eugene Prokopiev
2004-04-19 14:55 ` Denis S. Filimonov
2004-04-20 4:50 ` Eugene Prokopiev
2004-04-19 12:17 ` Eugene Prokopiev
2004-04-19 14:21 ` Nick S. Grechukh
2004-04-19 14:35 ` Denis S. Filimonov
2004-04-19 15:48 ` Nick S. Grechukh
2004-04-20 4:51 ` Eugene Prokopiev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40837B03.4040403@rmts.donpac.ru \
--to=john@rmts.donpac.ru \
--cc=community@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git