I have a network of computers which are using LDAP for user authentication (Free IPA v1.2). I am using the same LDAP server, but a different DN subtree, for external users of a web portal. I have just added a new third party web application which uses PAM to authenticate users, so I've added
auth required pam_ldap.so
account required pam_ldap.so
to the /etc/pam.d/new_webapp PAM configuration file. The problem is that this uses /etc/ldap.conf which looks to authenticate users from the system base DN (i.e. users who can ssh in with a username/password), but instead I'd like it to use a different base DN: the one associated with the web portal users. I had hoped /etc/pam_ldap.conf might help me with this, but no luck. What would be beautiful would be if I could do something like:
auth required pam_ldap.so conf /etc/ldap_web.conf
or
auth required pam_ldap.so base "cn=accounts, cn=webportal, dc=example, dc=com"
I'm looking for suggestions on how I can solve this. The only other thing I can think of is to compile an alternative pam_ldap.so that looks at an alternative configuration file.
Thanks in advance for any feedback on this problem.
Ian
Here is the exception I get when I try to login with a user that is only on the webportal (web i/f):
Apr 29 02:22:31 portal rserver[7341]: ERROR pam_authenticate failed: User not known to the
underlying authentication module; LOGGED FROM: int server::pam_auth::
<unnamed>::PAMAuth::login(const std::string&, const std::string&)
/root/rstudio/src/cpp/server/ServerPAMAuth.cpp:201
And this is the error when I try to login with a user that does have a system account:
Apr 29 02:22:48 portal rserver[7342]: ERROR pam_authenticate failed: Module is unknown;
LOGGED FROM: int server::pam_auth::<unnamed>::PAMAuth::login(const std::string&
const std::string&) /root/rstudio/src/cpp/server/ServerPAMAuth.cpp:201
Best Answer
You can do exactly what you're asking for. Use:
See the man page for more details.