On Saturday 22 October 2011 17:58:56 DJ Lucas wrote: > > Thanks for the randon thoughts. AND more such would be most appreciated. > > > > sincerely > > luxInteg > > # Begin /etc/pam.d/system-auth > > auth sufficient pam_ldap.so > auth required pam_unix.so use_first_pass > > # End /etc/pam.d/system-auth > > In the example above, pam_ldap was checked first, it provided the > passing vote so to speak, in this case the success auth token is passed > to the required pam_unix module. The use_first_pass directive to > pam_unix allows it to use the information obtained from the previous > module in its own evaluation of the requirement. A simple example, but > one that works for system I was speaking about last night. If pam_ldap > fails to auth, then using sufficient allows pam_unix to ignore the > previous one and fall back to /etc files (shadow).
I have to iterations of openldap-2.4.23 (both on 64bit amd-based machines) --A- built with the configure script not mentioning bdb; but the openldap-2.4.23 sources compiled and generated a test file (with make test) of some 40k lines (2.1 Mbytes in size) --B- compiled with berkeley-db configured either as module or 'yes' and generated a (post-compiled) test file of ~100kbytes. 'make test' fails consistently on test-29 no matter if LDFLAGS is set or not set. I have pam_ldap and nss_ldap as per the cblfs site. ( http://cblfs.cross-lfs.org/index.php/Pam_ldap ) installed As regards login --A allows login whatever the status of openldap --B only allows login if slapd is running it seems to ignore /etc/pam.d/system-auth settings? any suggestion > I hope I explained that well enough, though I'm sure the terminology is > incorrect. It is spelled out a lot better in the link provided in the > book for the System Administrator's guide (which unfortunately was on > kernel.org). Here is a copy of it: > http://debian.securedservers.com/kernel/pub/linux/libs/pam/Linux-PAM-html/L > inux-PAM_SAG.html . While I'm not familiar with SmartCard login, if there > is a method to get that info into the system via nss and auth via PAM (or > any other nss combination you can dream up be it in LDAP or otherwise), > then you would use a similar technique to get the PAM info from the > smartcard module to pam_unix and thus meet the required auth. > > The above reads horribly and my terminology is probably wrong...I'm > sorry about that, but I have to leave again and am out of time for > today. I hope that gets you going in the right direction. The > administrators guide is really what you need to fully understand it. > I'll try and look it up myself when I have a little more time to spare > and give you a more technically correct answer with proper terms and > maybe some additional suggestions. > > -- DJ Lucas -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page