UsePAM yes
Then updated the file /etc/pam.d/sshd to the following (/etc/ssh/denyusers is empty):
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers
auth include system-auth
account sufficient pam_ldap.so
account required pam_nologin.so
account include system-auth
password required pam_ldap.so
password include system-auth
session sufficient pam_ldap.so
session include system-auth
I also updated the file /etc/pam.d/proftpd to enable LDAP authentication for proftpd:
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth include system-auth
account sufficient pam_ldap.so
account include system-auth
session sufficient pam_ldap.so
session include system-auth
The following are included in the file /etc/nsswitch.conf:
passwd: ldap files
shadow: files ldap
group: ldap files
Note: If a user with uid entry in both ldap and /etc/password, there should be two entries returned by the command
getent passwd | grep username
. Use command id username
to return the corresponding user entry including the group membership.The following items are changed in the file /etc/ldap.conf:
host
base
binddn
bindpw
scope sub
pam_filter objectClass=posixAccount
pam_login_attribute uid
ssl off
#default objectclass posixAccount and attribute uid
nss_base_passwd
nss_base_shadow
#default objectclass posixGroup and attribute cn
nss_base_group
nss_base_hosts
The above two files can also be modified by running the command
drakauth
The nss_updatedb utility maintains a local cache of network directory user and group information. Used in conjunction with the pam_ccreds module, it provides a mechanism for disconnected use of network directories. I have the follwoing lines in file /etc/sysconfig/nss_updatedb
NSS_SERVICE=ldap
ONLY_LOGGED_USERS=yes
Ref: LDAP Authentication HOWTO
No comments:
Post a Comment