(Courriels de diversion: <opterai@redondant-pretoires.com> <agressivite@bafouerions-cabanons.com> <devouons@moelle-confondre.com> <eternuerait@abreuvoirs-recourbent.com> <accouple@cotiseront-parasiter.com> <occulter@moyeux-resumerions.com> <hasarderent@medications-connaîtrait.com> <estomperions@politiserez-eluderais.com> <insulterais@reconquerrais-cerisier.com> <autocollants@entremettra-tienne.com> )
Aussitot dit aussitot fait, c'est sympa de repondre deja:
/etc/pam_ldap.conf
*************************************
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host 19x.xx.xx.xx
# The distinguished name of the search base.
base o=yo,c=fr
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=net
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=admin,ou=people,dc=example,dc=net
#rootbinddn cn=bfmc,o=yo,c=fr
# The port.
# Optional: default is 389.
#port 389
# The search scope.
scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#:w
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
pam_groupdn "cn=betedesex,ou=Group,o=yo,c=fr"
# Group member attribute
pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password crypt
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
#
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#pam_password nds
# For IBM SecureWay support, do:
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
pam_password clear
#pam_crypt local
*************************
/etc/libnss-ldap.conf
*************************
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure libnss-ldap to configure this file.
#
# @(#)$Id: ldap.conf,v 2.30 2001/09/22 10:57:56 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host 19x.xx.xx.xx
# The distinguished name of the search base.
base o=yo,c=fr
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=bfmc,o=yo,c=fr
# The credentials to bind with.
# Optional: default is no credential.
bindpw xxxx
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,o=yo,c=fr?one
nss_base_shadow ou=People,o=yo,c=fr?one
nss_base_group ou=Group,o=yo,c=fr?sub
nss_base_hosts ou=computers,o=yo,c=fr?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
# Alternatively, if you wish to equivalence W2K and POSIX
# groups, change the uniqueMember mapping line to:
#nss_map_attribute uniqueMember member
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
# For IBM AIX SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
******************************************
/etc/nsswitch.conf
******************************************
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
automount: ldap
hosts: files ldap dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
**************************
je te passe le contenu de /etc/pam.d
qui est tout a fait traditionnel......
Eric Gerbier wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Boukhairi Abderahim wrote:
>
>
>>Bonjour à toutes et tous,
>>
>>Une chtite question sur LDAP et son authentification.
>>Contexte:
>>Debian unstable, openldap, pam_ldap nssldap et tuti quanti.
>>J'ai l'authentification qui fonctionne bien, l'automontage qui marche
>>bien, le bonheur quoi !
>>Mais j'aimerai que l'authentification se fasse en fonction de
>>l'appartenance a un groupe.
>>
>>
>
>
>
>>Apparemment le systeme comprend ce que je lui demande mais de travers.
>>
>>Si un brillantissime cerveau ldap experimented veux bien m'indiquer la
>>voie, je chanterai ses louanges sur les toits ;) ;)
>>
>>
>
>j'ai bien une idee :
>
>pam peut etre configuré pour essayer plusieurs mode d'authentifications
>successifs.
>par exemple, chez moi, on commence par interroger le ldap, et en cas de
>probleme, on poursuit avec une authentification locale pour pourvoir
>travailler en cas de crash reseau ou du serveur ldap
>
>pour etre sur, il faudrait pour ca voir ta config pam complete, si ce
>n'est pas trop secret.
>
>- --
>Eric Gerbier
>cnrm/cti
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQE/tOBCNzh6q8tvpCoRAkZ6AJ9x1WaGTzqMlWI5NNkB+jSeKdnbmwCfbrBH
>HPPoaDFjlnQZq1JSUJgbyQU=
>=GWFr
>-----END PGP SIGNATURE-----
>
>
>--------------------------------------------------------------------
>Les listes de diffusion occultes: <URL:http://www.CULTe.org/listes/>
>
>
>
>
>
--
Boukhairi Abderahim
INRA BIA
0561285065
~*-,._.,-*~''~*-,._.,-*~''~HUMEUR,-*~''~*-,._.,-*~''~*-,._.,-*~
Ce n'est pas que j'ai peur de mourir.
Je veux juste ne pas être là quand ça arrivera.
Woody Allen.
~*-,._.,-*~''~*-,._.,-*~''~FIN-HUMEUR,-*~''~*-,._.,-*~''~*-,._.,-*~
1010101111011110 binaire = 125736 octal = 43998 decimal = ABDE hexadecimal ;)
--------------------------------------------------------------------
Les listes de diffusion occultes: <URL:http://www.CULTe.org/listes/>