0

So far from what I understand it gets given a username/password pair, it then searches the LDAP for the username and tries to log into the LDAP using the distinguished name and the password pair, if it succeeds then the authentication is successful, if not then it isn't.

So how does this match up to a schema?

Is there an absolutely minimal schema that PAM requires (for example: something that just contains dn and password) or is it configured to search through a particular field name for a match on the username and then compare the password to one in another specified field?

Aaron
  • 101
  • 1

2 Answers2

2

There are default schemas you can use for this purpose, but if really necessary, you can configure the LDAP module to tell it exactly where to find possible users. How this is done depends on the PAM module used (e.g. pam-ldap, pam-ldapd or sssd).

The minimal number of fields you need are username, numerical uid, home directory, shell and password.

Sven
  • 98,649
  • 14
  • 180
  • 226
1

Just to name one, what about posixAccount objectClass? In OpenLDAP is included in the nis schema file:

olcObjectClasses: {0}( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction o
 f an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNu
 mber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ 
 description ) )

as it auxiliary you still need a structural objectClass, person for instance.

473183469
  • 1,360
  • 1
  • 12
  • 23
  • I strongly prefer rfc2307bis schema. It's posixGroup is an auxiliary class. This allows it to be combined with groupOfNames, unlike the one in the nis schema. – 84104 Oct 29 '15 at 16:59