1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] Help needed with ldap server.and gdm.
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Help%20needed%20with%20ldap%20server.and%20gdm.&In-Reply-To=%3C514EE849.6030800%40gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="023757.html">
<LINK REL="Next" HREF="023763.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] Help needed with ldap server.and gdm.</H1>
<B>Guillaume Rousse</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Help%20needed%20with%20ldap%20server.and%20gdm.&In-Reply-To=%3C514EE849.6030800%40gmail.com%3E"
TITLE="[Mageia-dev] Help needed with ldap server.and gdm.">guillomovitch at gmail.com
</A><BR>
<I>Sun Mar 24 12:49:29 CET 2013</I>
<P><UL>
<LI>Previous message: <A HREF="023757.html">[Mageia-dev] Help needed with ldap server.and gdm.
</A></li>
<LI>Next message: <A HREF="023763.html">[Mageia-dev] freeze push : snort
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#23772">[ date ]</a>
<a href="thread.html#23772">[ thread ]</a>
<a href="subject.html#23772">[ subject ]</a>
<a href="author.html#23772">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Le 23/03/2013 21:41, David W. Hodgins a écrit :
><i> Any suggestions?
</I>You're mixing issues here.
pam only deals with authentication and authorization. The problem is not
to make a choice from pam_unix, or pam_pwdb, or pam_tcb, but to express
the fact than an user can authenticate from either local password
database or ldap passwd database:
auth sufficient pam_unix
auth sufficient pam_ldap use_first_pass
auth required pam_deny.so
Most modules accept debug option to help troubleshooting.
Once you resolved your authentication and authorization issues for both
users (console login, su, whatever), you can deal with the list of
people enumerated in gdm, but in gdm configuration.
Also, the documentation you're using is a bit outdated:
- bdb makes more sense today than ldbm as storage backend
- ssha is a better choice than crypt for default password encoding scheme
- using a rootdn with a password defined in slapd.conf is quite discussable
- ACLs such as 'access to dn=".*,dc=mylan,dc=net"' would better be
defined as 'access to dn.subtree="dc=mylan,dc=net"' (no regex involved)
- examples given use rfc2307 schema, whereas rfc2307bis (group
membership defined through dn, not uids) is a better choice
- and more important: nss_ldap and pam_ldap are getting deprecated
nowadays, in favor or nss_pam_slapd, or sssd.
--
BOFH excuse #235:
The new frame relay network hasn't bedded down the software loop
transmitter yet.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="023757.html">[Mageia-dev] Help needed with ldap server.and gdm.
</A></li>
<LI>Next message: <A HREF="023763.html">[Mageia-dev] freeze push : snort
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#23772">[ date ]</a>
<a href="thread.html#23772">[ thread ]</a>
<a href="subject.html#23772">[ subject ]</a>
<a href="author.html#23772">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
