PAM setup with pam_ldap

Question

I am running ubuntu 10.10 and trying to setup pam with pam_ldap.

The guide at: http://wiki.debian.org/LDAP/PAM says, among other things:

In order to globally enable LDAP authentication through PAM, configure /etc/pam_ldap.conf accordingly and edit the /etc/pam.d/common-* files so that they contain something like this:

/etc/pam.d/common-account:

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

Now, taking this one file as an example, I see:

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so

My question is, do I remove the things currently in that file, replacing them with the ones from the guide - or so I append the things from the guide to the end of the file?

Answer 1

The second file you copied should already permit access via LDAP.

The first rule will attempt to authenticate through the standard unix mechanism ( passwd/shadow ). If that fails, then the second rule get's called and attempts to authenticate with pam_ldap. If that then fails, login is denied.

On a side note, when implementing PAM, don't forget to test things step by step.

Ensure that you can search via ldapsearch to verify that your /etc/pam_ldap and/or /etc/nss_ldap are configured correctly.

Also ensure that getent passwd / getent group returns both Unix and Ldap accounts to verify that your /etc/nsswitch.conf is configured correctly.