Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PAM, LDAP, I need a hint please 1

Status
Not open for further replies.
zaxxon

zaxxon

MIS
Dec 12, 2001
226
DE
Hi,

we currently have several AIX 5.2 and 5.3 boxes running and are not using NIS.
There is also a LDAP server in our company (Novell eDirectory) and we are asked to have our users on the AIX boxes, being managed solely via LDAP. This should not include accounts like root or technical users.
So far, we thought about to compile and set up pam_ldap on our AIX boxes.
Checking the options we would have using PAM authentication, I saw, that it is usually used system wide for every user (pam.conf). Only for HP-UX I found something like pam_user.conf, where you can specify different options for different users.
Is there a way to specify different behavior for users on AIX, for example that root and some technical users will not use pam_ldap for authentification but just the local authentication mechanisms?

Any hint would be very helpful, thanks in forward.

laters
zaxxon
 
Sort by date Sort by votes
i think 5.3 is a little nicer for configuring PAM, IMO.

as long as your server that manages your regular user accounts in PAM does not have an entry for root, etc, then i think you'll be ok.

if you use openssh for remote logins, then set UseLogin to no, otherwise your password rules for your users will fall under AIX. there are also some settings in sshd_config that you'll want to turn on for PAM + openssh.
 
Upvote 0 Downvote
AIX user management using LDAP adheres to RFC 2307 based schema. Hence AIX LDAP client can operate against other platform based LDAP servers, as long as they support RFC2307 based schema.

Nice webcast at click on AIX 5L: Security Features & Standards


Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Upvote 0 Downvote
Maybe I described it somewhat unclear, sorry. I try again:

@Breslau
Yes, we use ssh, telnet and lot of other services/protocols, but my question was another, more general:
For example, I force telnet logins to be authenticated by pam_ldap in pam.conf, ALL will be forced to be checked against the LDAP server, if I understood it right. I would for sure set it to "required". Having root not be managed by the LDAP-server as you suggested, would just not let me in successful, if I am correct. So I thought of some sort of config or complete other method to separate auth behavior for different users via PAM.

@mrn
I already know, that AIX 5.2+ supports LDAP, the "IBM" LDAP and RFC2307 LDAP, that is nothing new for me. I asked if it is possible in PAM to have root and technical users be auth'ed by lets say pam -> shadow or pam_aix or something and other users by -> pam_ldap.


ie.:
Code: 
root-------|
techusr1---|----> pam_aix
techusr2---|

karl-------|
fritz------|
heinz------|----> pam_ldap
joe--------|
marc-------|
devs-------|

Is there any chance to have accounts/users/groups to be authenticated by different pam-modules instead of only having the service as criteria?

laters
zaxxon
 
Upvote 0 Downvote
Ok.

we have a slightly different config here. and now that i think about it, none of the non-PAM-managed accounts we use have remote access, they are su'ed to from a general user account. so maybe what i described above doesn't apply for you... i haven't really tested it.

no problem tho with root logging in direct via a host's console the way we have it set now (no root account listed on the ldap server).
 
Upvote 0 Downvote
AIX can support primary & secondary authentication methods

Primary - LDAP
Secondary - System

If pam_ldap fails, but pam_unix succeeds, the operation will succeed (this is extremely helpful in cases where root is not in the ldap directory, but is still in the local /etc/passwd file!).

The 'pam_ldap' module will prompt the user for a password, and then check the ldap directory indicated in /etc/ldap.conf to authenticate the user. If this fails, the operation can still succeed if 'pam_unix' succeeds in authenticating the user.

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Upvote 0 Downvote
Np Breslau, thanks though.

mrn, PRIMARY and SECONDARY sounds a bit familiar.. saw it, never used it. Thanks for the hint :)

As it seems there is at least no way to tell PAM in it's config file, that users will be checked in addition to service names ok.

laters
zaxxon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mohamedazrin
  • Locked
  • Question
Need some help with extend the PP
Replies
1
Views
435
Andjey
Andjey
E
  • Locked
  • Question
What are reservations and how do you set them?
Replies
0
Views
350
emze
E
A
  • Locked
  • Question
Adding Existing LUN to New LPAR AIX
Replies
0
Views
394
Alvinghost
A
E
  • Locked
  • Question
AIX Power5 on 5.3- On varyonvg error "cannot be varied on because no good copies of the descriptor area"
Replies
1
Views
465
JenLM
J
HariharanER
  • Locked
  • Question
Current versions are used in AIX
Replies
0
Views
337
HariharanER
HariharanER

Part and Inventory Search

Sponsor

Back
Top