>> It wasn't working until I enabled >> PAMAuthenticationViaKbdInt.
> I thought it started working when you added the users' home dir (or > pam_mkhomedir). Are you sure about that fix? I could have sworn that was when it started working (/me looks back through notes). The pam_mkhomedir wasn't added until a few minutes later. It was then when I noticed a message referencing a missing user home directory that pam_mkhomedir was added. Just turned it off and removed pam_mkhomedir. Still able to login with several accounts just fine. Weird. Didn't do that before :-) I'm tabling that until later. The point is I can log in now. >> Problem is I'm requiring it for security reasons. Tough call. 777 to /home >> or no priv seperation. I think I'll check out the PAM modules code and see >> if there is a work around. >I don't know. Are the home directories that are created when you set /home to 777 owned by the correct user, or by sshd? Ok. Set home to 777 and added pam_mkhomedir again to system-auth. When I login it creates the users home directory just fine. The user is the owner of the directory. Interesting... If I can do the same thing with the default /home rights then I'm set. Looks like it switches to the user account then creates the user's home directory. Bummer :-( > By default, anyone in the world can connect to the LDAP server and read > data that's not private. There's nothing insecure about that (except > for the binding part, but you should be filtering these connections at > your edge firewall). We are. However the requirements are pretty strict as defined by my employer. I'm hoping to convince them it's unnecessary. {snip} > * stores the username/password in plain text on every machine you configure as an LDAP client > * sends the username/password over the network, usually in plain text > The last two are where anonymous access is actually more secure than > forcing authentication for any read access. The data that's readable is > not sensitive, so avoiding management logins just means that there's > less privilege that's likely to be escalated. Is this also the case when using TLS and LDAP? I really do appreciate your assistence! ! I've never dived this deep into LDAP and PAM before. Getting comfortable with the two finally :-) Thx again! -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list