[TriLUG] PAM question(s)
Paul G. Szabady
Paul at ThyService.com
Thu Nov 2 11:19:03 EST 2006
Greetings,
Is it at all possible to authenticate users via http/.htaccess using their
Windows AD (native mode) domain accounts without a local user account? I
have made the following changes and it works fine if there's a local user
account. I'm trying to stay away from winbind and don't control our AD
forest, so I'm not sure we can get ldap extensions in the AD.
If this is not possible with the means I've mentioned, can anyone suggest
any alternatives they've used or seen in use?
This would mainly be on RHEL3 & RHEL4 boxes, although I have two sun
servers that I need to do something with as well.
In the /etc/httpd/conf/httpd.conf file I added:
AuthPAM_FallThrough on
AuthPAM_Enabled on
In the /etc/pam.d/ config files I changed httpd and system-auth to:
[root at server pam.d]# cat httpd
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_krb5.so
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_krb5.so
[root at server pam.d]#
[root at server pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_krb5.so
ccache=/tmp/krb5cc_%u
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
[root at server pam.d]#
Any help would be appreciated!
--
Paul
@ Thy Service
More information about the TriLUG
mailing list