[TriLUG] PAM question(s)

David McDowell turnpike420 at gmail.com
Tue Nov 7 10:10:48 EST 2006


I hope we look into this one day, but we don't have the need for AD
based console logins (yet), so my AD auth for Apache using
mod_auth_ldap is good enough for now! :)


On 11/6/06, Paul G. Szabady <Paul at thyservice.com> wrote:
> David,
>
> Very interesting.  I'm not sure they'll let us implement NIS, but this is
> definitely worth looking into.
>
> In the interim, we've gone to using straight kerberos authentication, but
> now we're getting complaints because people don't know when to use
> domain\username vs username to authenticate.
>
> As we move forward, we've been told that the power-to-be *might* extend
> the AD schema to allow us to utilize ldap.  After a long conversation, it
> appears their knowledge of ldap is limited at best.  They did inform us of
> an ADAM server that was available for us to use for testing, but *we*
> would have to tell them how to configure it for our use.  Nice, huh?
>
>
> --
> Paul
> @ Thy Service
>
> > new bit of information of interest to this thread, sorta, quoted from my
> > $boss:
> >
> > "Windows 2003 Server R2 has a new feature called "Identity Management
> > for UNIX," which includes an Active Directory-integrated NIS service.
> > All Red Hat boxes are preconfigured with the ability to authenticate
> > to NIS, and with minor tweaking, you can get them to auto-create home
> > directories the first time a valid NIS user logs in (similar to how
> > Windows XP boxes create user profiles). R2 also includes an NFS server
> > and client, and a Posix-compatible operating environment (like
> > Cygwin). I wonder if you can install gcc on 2003 R2 and compile and
> > run bash?"
> >
> > That might open some doors for alternatives.  I haven't tried this...
> >
> >
> > On 11/2/06, David McDowell <turnpike420 at gmail.com> wrote:
> >> Is this what you want?
> >>
> >> http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt
> >>
> >> David
> >>
> >>
> >>
> >> On 11/2/06, Paul G. Szabady <Paul at thyservice.com> wrote:
> >> > Greetings,
> >> >
> >> > Is it at all possible to authenticate users via http/.htaccess using
> >> their
> >> > Windows AD (native mode) domain accounts without a local user account?
> >>  I
> >> > have made the following changes and it works fine if there's a local
> >> user
> >> > account.  I'm trying to stay away from winbind and don't control our
> >> AD
> >> > forest, so I'm not sure we can get ldap extensions in the AD.
> >> >
> >> > If this is not possible with the means I've mentioned, can anyone
> >> suggest
> >> > any alternatives they've used or seen in use?
> >> >
> >> > This would mainly be on RHEL3 & RHEL4 boxes, although I have two sun
> >> > servers that I need to do something with as well.
> >> >
> >> > In the /etc/httpd/conf/httpd.conf file I added:
> >> > AuthPAM_FallThrough on
> >> > AuthPAM_Enabled on
> >> >
> >> > In the /etc/pam.d/ config files I changed httpd and system-auth to:
> >> >
> >> > [root at server pam.d]# cat httpd
> >> > #%PAM-1.0
> >> > auth required /lib/security/$ISA/pam_env.so
> >> > auth sufficient /lib/security/$ISA/pam_krb5.so
> >> > auth required /lib/security/$ISA/pam_deny.so
> >> > account required /lib/security/$ISA/pam_krb5.so
> >> > [root at server pam.d]#
> >> >
> >> > [root at server pam.d]# cat system-auth
> >> > #%PAM-1.0
> >> > # This file is auto-generated.
> >> > # User changes will be destroyed the next time authconfig is run.
> >> > auth        required      /lib/security/$ISA/pam_env.so
> >> > auth        sufficient    /lib/security/$ISA/pam_krb5.so
> >> > ccache=/tmp/krb5cc_%u
> >> > auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
> >> nullok
> >> > auth        required      /lib/security/$ISA/pam_deny.so
> >> >
> >> > account     required      /lib/security/$ISA/pam_unix.so
> >> >
> >> > password    required      /lib/security/$ISA/pam_cracklib.so retry=3
> >> type=
> >> > password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> >> > use_authtok md5 shadow
> >> > password    required      /lib/security/$ISA/pam_deny.so
> >> >
> >> > session     required      /lib/security/$ISA/pam_limits.so
> >> > session     required      /lib/security/$ISA/pam_unix.so
> >> > [root at server pam.d]#
> >> >
> >> > Any help would be appreciated!
> >> >
> >> > --
> >> > Paul
> >> > @ Thy Service
> >> >
> >> >
> >> > --
> >> > TriLUG mailing list        :
> >> http://www.trilug.org/mailman/listinfo/trilug
> >> > TriLUG Organizational FAQ  : http://trilug.org/faq/
> >> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >> >
> >>
> > --
> > TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>



More information about the TriLUG mailing list