From: Eugene Prokopiev <john@rmts.donpac.ru> To: community@altlinux.ru Subject: [Comm] Авторизация из /etc/passwd и ldap одновременно: как правильно? Date: Mon, 19 Apr 2004 11:08:51 +0400 Message-ID: <40837B03.4040403@rmts.donpac.ru> (raw) Здравствуйте! Как сделать так, чтобы в системе могли авторизоваться пользователи, прописанные как в /etc/passwd, так и в ldap? On Saturday 17 April 2004 12:58 Denis S. Filimonov поделился своими рабочими конфигами: system-auth: #%PAM-1.0 auth required /lib/security/pam_ldap.so #auth required /lib/security/pam_tcb.so shadow fork nullok account required /lib/security/pam_access.so account required /lib/security/pam_ldap.so #account required /lib/security/pam_tcb.so shadow fork password required /lib/security/pam_ldap.so #password required /lib/security/pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny random=42 enforce=users retry=3 #password required /lib/security/pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb #session required /lib/security/pam_tcb.so session required /lib/security/pam_limits.so system-auth-use_first_pass: #%PAM-1.0 auth required /lib/security/pam_ldap.so use_first_pass #auth required /lib/security/pam_tcb.so shadow fork nullok use_first_pass password required /lib/security/pam_ldap.so #password required /lib/security/pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb Насколько я понял, в таком варианте используется только ldap. Мне же нужно сохранить и то, что было, добавив пользователей из ldap. Написал следующее: system-auth: #%PAM-1.0 auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_tcb.so shadow fork prefix=$2a$ count=8 nullok account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_tcb.so shadow fork password required /lib/security/pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny random=42 enforce=users retry=3 password required /lib/security/pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb session required /lib/security/pam_tcb.so session required /lib/security/pam_limits.so system-auth-use_first_pass: #%PAM-1.0 auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_tcb.so shadow fork prefix=$2a$ count=8 nullok use_first_pass password required /lib/security/pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb Т.е. просто для методов авторизации auth и account добавил sufficient /lib/security/pam_ldap.so После этого получилось следующее: 1. По ssh все равно пускают только пользователей из /etc/passwd, пользователей из ldap посылают подальше со следующими словами: Apr 19 10:51:09 john-ws pam_tcb[2060]: sshd: Authentication failed for vasya from (uid=0) Apr 19 10:51:11 john-ws sshd[2061]: Failed password for vasya from 192.168.46.2 port 4631 2. su - могут использовать как ldap, так и /etc/passwd-пользователи, но для su - ldap-user пароль надо вводить один раз, а для su - passwd-user необходимо вводить пароль дважды: [john@john-ws john]$ su - john Password: Password: [john@john-ws john]$ su - vasya Password: -bash-2.05b$ sshd выглядит так: #%PAM-1.0 auth required /lib/security/pam_userpass.so auth required /lib/security/pam_stack.so service=system-auth-use_first_pass auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth su выглядит так: #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/pam_wheel.so debug use_uid group=wheel trust # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/pam_wheel.so debug use_uid group=wheel # Uncomment the following line to implicitly trust users with same user id. #auth sufficient /lib/security/pam_sameuid.so debug auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_deny.so session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so я их не правил. Что я сделал неправильно и как сделать правильно? -- С уважением, Прокопьев Евгений
next reply other threads:[~2004-04-19 7:08 UTC|newest] Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top 2004-04-19 7:08 Eugene Prokopiev [this message] 2004-04-19 9:15 ` Nick S. Grechukh 2004-04-19 9:36 ` Eugene Prokopiev 2004-04-19 11:46 ` iLya Bryzgalow 2004-04-19 9:47 ` Eugene Prokopiev 2004-04-19 11:00 ` Nick S. Grechukh 2004-04-19 10:35 ` Denis S. Filimonov 2004-04-19 11:45 ` Eugene Prokopiev 2004-04-19 14:55 ` Denis S. Filimonov 2004-04-20 4:50 ` Eugene Prokopiev 2004-04-19 12:17 ` Eugene Prokopiev 2004-04-19 14:21 ` Nick S. Grechukh 2004-04-19 14:35 ` Denis S. Filimonov 2004-04-19 15:48 ` Nick S. Grechukh 2004-04-20 4:51 ` Eugene Prokopiev
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=40837B03.4040403@rmts.donpac.ru \ --to=john@rmts.donpac.ru \ --cc=community@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Community general discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community community/ http://lore.altlinux.org/community \ mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com public-inbox-index community Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community AGPL code for this site: git clone https://public-inbox.org/public-inbox.git