User talk:Bobpaul

From ArchWiki
Jump to: navigation, search

PAM LDAP Authentication

Hi, thanks for you edits to LDAP Authentication! I was hoping someone would update the PAM section, as I know little about the subject.

However, I was wondering about the following section:

First edit /etc/pam.d/system-auth. (...) Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional.

Could you explain why the session section is other than the rest? I would really appreciate it, and I think it would be useful to add the explaination to the page!

Thanks! --Lonaowna (talk) 23:27, 13 November 2013 (UTC)

The arch devs seem to pull a lot of upstream decisions from fedora, so their pam documentation should apply nicely to us. (I guess pam is pretty generic, but our conf.d is organized similar to theirs.) Looking over that should give a pretty good idea of what sufficient, required, and optional do and some idea what auth, account, password, and session are.
Now that said, I'm still not entirely sure what session does ;) The upstream configuration example for nss-pam-ldapd shows session as optional, as do several other examples I've seen. Today's edits to the wiki were very much the result of my own experimentation.
I suppose I would expect sufficient to also work for session (as the documentation says failures are ignored). That's probably something to ask upstream.Bobpaul (talk) 00:07, 14 November 2013 (UTC)
Thanks for your response! :) I'll take a look upstream at the links you've provided, and will report any findings of my quest back at the Arch Wiki. ;)
--Lonaowna (talk) 00:20, 14 November 2013 (UTC)
I made some new edits that hopefully add some clarity without being too detailed. I like the formatting changes you made; the bold is a nice touch. At our office we use smbldap-useradd to create users and users can change their ldap passwords with smbpasswd (we haven't gotten password changing with passwd working yet). I'm holding off on adding these things to the wiki as I'm a bit concerned about making things a mess (people can get overwhelmed with options, and LDAP seems to be needlessly scary for people unfamiliar with it). Thoughts? I suspect wanting passwd to be able to change ldap passwords is something that will appeal to many users, not sure about the samba stuff. Bobpaul (talk) 17:34, 19 November 2013 (UTC)
Your new edits look very useful! I've done some experimentation, and it looks like adding password sufficient pam_ldap.so to /etc/pam.d/passwd is enough to enable password-changing with passwd. I also had to modify the access controls on my LDAP server to make the password editable by the user. I've added both to the wiki. It looks like everything works like this. But again: I'm no expert so please check for yourself, I might have added huge security holes or something like that! :) --Lonaowna (talk) 19:13, 19 November 2013 (UTC)
The most common 2 failure modes I've noticed with incorrect pam configuration is that whatever you're trying to do doesn't work, even with the correct password, or that it does work even with an incorrect password. So as a sanity check, make sure passwd isn't allowing users to change the password if they don't know their original. You could also check if "sudo passwd" works (hopefully not) to reset a password for someone who's a local machine admin but not an ldap domain admin (ex: engineers have sudo access on their own machines (but nowhere else) so that they can install packages and updates on their own. But we certainly don't want that to allow user1 to change user2's password). Bobpaul (talk) 19:33, 19 November 2013 (UTC)
Thanks again for your feedback! I ran all the tests you mentioned, and everything seems to be working like it should. I'll leave it like this on the wiki page, hopefully it is useful to someone. --Lonaowna (talk) 20:09, 19 November 2013 (UTC)