On Saturday 22 October 2011 17:58:56 DJ Lucas wrote: > # Begin /etc/pam.d/system-auth > > auth sufficient pam_ldap.so > auth required pam_unix.so use_first_pass > > # End /etc/pam.d/system-auth > > In the example above, pam_ldap was checked first, it provided the > passing vote so to speak, in this case the success auth token is passed > to the required pam_unix module. The use_first_pass directive to > pam_unix allows it to use the information obtained from the previous > module in its own evaluation of the requirement. A simple example, but > one that works for system I was speaking about last night. If pam_ldap > fails to auth, then using sufficient allows pam_unix to ignore the > previous one and fall back to /etc files (shadow). > > I hope I explained that well enough, though I'm sure the terminology is > incorrect. It is spelled out a lot better in the link provided in the > book for the System Administrator's guide (which unfortunately was on > kernel.org). Here is a copy of it: > http://debian.securedservers.com/kernel/pub/linux/libs/pam/Linux-PAM-html/L > inux-PAM_SAG.html . While I'm not familiar with SmartCard login, if there > is a method to get that info into the system via nss and auth via PAM (or > any other nss combination you can dream up be it in LDAP or otherwise), > then you would use a similar technique to get the PAM info from the > smartcard module to pam_unix and thus meet the required auth. > > The above reads horribly and my terminology is probably wrong...I'm > sorry about that, but I have to leave again and am out of time for > today. I hope that gets you going in the right direction. The > administrators guide is really what you need to fully understand it. > I'll try and look it up myself when I have a little more time to spare > and give you a more technically correct answer with proper terms and > maybe some additional suggestions. > > -- DJ Lucas
########## this excerpt:- {{ Edit /etc/default/slapd and allow the LDAP service to listen for IPC connections (i.e. Unix domain sockets) by adding this line to the end of the file: SLAPD_SERVICES="ldap:/// ldapi:///" }} AND this one:- {{ Edit /etc/default/slapd and uncomment a line near the end of the file that will export the location of the Kerberos system keytab file as a variable: export KRB5_KTNAME=/etc/krb5.keytab }} comes from this link:- http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php it is for a debian system and I checked on the blfs setup I am using and there is an /etc/defaults directory but no /etc/default/slapd . The quesion is?:- Is /etc/default/slapd important as described in the excerpts ? And if so how what are the contents/properties of this file? Advice would be much appreciated. sincerely lux-integ -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page