Re: [Dovecot] LDAP authentication via PAM
Oscar A. Valdez wrote:
El lun, 10-04-2006 a las 11:17 -0600, Stephen Warren escribió:
Oscar A. Valdez wrote:
Before trying Luis' suggestion, I had the following in /var/log/messages:
dovecot(pam_unix)[4691]: check pass; user unknown dovecot(pam_unix)[4691]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
I believe this is because your PAM configuration checks both local files (pam_unix: /etc/passwd) and pam_ldap: LDAP. The pam_unix module can't find the user in the local database, and complains, then LDAP finds the user information, and allows the login/whatever.
The solution is probably to create a /etc/pam.d/system-auth-ldap-only file that doesn't reference pam_unix, and use that pam configuration for network services such as Dovecot.
Or, possible, check pam_ldap first with a "sufficient" setting; perhaps this will stop pam_unix being tried at all?
I keep meaning to try this, since I'm seeing those messages from a number of network services, but have never gotten around to it!
They tend to fill up the message log quickly, so if you get around to it, I'm interested in your fix.
Well, I finally got around to fiddling with this, and I now have created a /etc/pam.d/system-auth that doesn't trigger the annoying authentication failure messages in syslog. The file is shown below.
I've tested this by connecting in using SSH (setup for PAM) both as a user in the local /etc/passwd and as a user in LDAP. Also, I tested /etc/passwd users with the LDAP server stopped, and that worked too. Finally, I tested connecting to Dovecot as an LDAP user.
Note: The only section that references LDAP is the auth section. That's because account and session rely on pam_unix to pick up the information using nss_ldap (i.e. /etc/nsswitch.conf says "files ldap" for passwd, group, etc.) This seems to work for me...
Also, note that my LDAP server stores Samba passwords too, so that's why the password section uses pam_smbpass (which in turn is setup to access LDAP via /etc/samba/smb.conf) rather than pam_ldap. This is so both the Unix and SMB passwords are updated in LDAP.
Anyway, here's my file. Anyone want to pick holes in it? Indented lines are just mail formatting...
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_ldap.so debug auth sufficient /lib/security/$ISA/pam_unix.so use_first_pass likeauth auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_smbpass.so use_authtok password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0077
participants (1)
-
Stephen Warren