PAM LDAP Authentication
Hi, thanks for you edits to LDAP Authentication! I was hoping someone would update the PAM section, as I know little about the subject.
However, I was wondering about the following section:
First edit /etc/pam.d/system-auth. (...) Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional.
Could you explain why the session section is other than the rest? I would really appreciate it, and I think it would be useful to add the explaination to the page!
- The arch devs seem to pull a lot of upstream decisions from fedora, so their pam documentation should apply nicely to us. (I guess pam is pretty generic, but our conf.d is organized similar to theirs.) Looking over that should give a pretty good idea of what sufficient, required, and optional do and some idea what auth, account, password, and session are.
- Now that said, I'm still not entirely sure what session does ;) The upstream configuration example for nss-pam-ldapd shows session as optional, as do several other examples I've seen. Today's edits to the wiki were very much the result of my own experimentation.
- I suppose I would expect sufficient to also work for session (as the documentation says failures are ignored). That's probably something to ask upstream.Bobpaul (talk) 00:07, 14 November 2013 (UTC)
- Thanks for your response! :) I'll take a look upstream at the links you've provided, and will report any findings of my quest back at the Arch Wiki. ;)
- --Lonaowna (talk) 00:20, 14 November 2013 (UTC)
- I made some new edits that hopefully add some clarity without being too detailed. I like the formatting changes you made; the bold is a nice touch. At our office we use smbldap-useradd to create users and users can change their ldap passwords with smbpasswd (we haven't gotten password changing with passwd working yet). I'm holding off on adding these things to the wiki as I'm a bit concerned about making things a mess (people can get overwhelmed with options, and LDAP seems to be needlessly scary for people unfamiliar with it). Thoughts? I suspect wanting passwd to be able to change ldap passwords is something that will appeal to many users, not sure about the samba stuff. Bobpaul (talk) 17:34, 19 November 2013 (UTC)