/usr/share/doc/libpam-ldap/README.Debian is in libpam-ldap 186-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | libpam-ldap for Debian
----------------------
- Be very careful when you use "sufficient pam_ldap.so" in Debian's
/etc/pam.d/common-* files: Some services can place other "required"
PAM-modules after the includes, which will be ignored if pam_ldap.so
succeeds. As a workaround, use something like the following construct:
# Check local authentication first, so root can still login
# while LDAP is down.
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
The third line is needed, so "success=1" can skip over one module and
still has a module to jump to. Without that, PAM segfaults!
- If you want to use the "pam_check_host_attr" feature, make sure
"pam_unix.so" doesn't provide a valid "account" via the Name Service
Switch (NSS), which overrides your LDAP configuration. Don't use "ldap"
for "shadow" in /etc/nsswitch.conf, just use "shadow: files". For PAM,
use something like the following:
# Try local /etc/shadow first and skip LDAP on success
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
- Debian uses /etc/pam_ldap.conf as libpam-ldap's configuration file and
/etc/pam_ldap.secret as the file to store the password of the rootbinddn.
- See LDAP-Permissions.txt for details about the required LDAP permissions.
|