[SOLVED] PAM LDAP - Overriding attributes

Support for security such as Firewalls and securing linux
Post Reply
oakenshield
Posts: 3
Joined: 2014/05/23 05:30:04

[SOLVED] PAM LDAP - Overriding attributes

Post by oakenshield » 2014/05/23 05:47:44

Hello,
Iam using PAM LDAP on our department servers to authenticate our users (a few dozens) against a central LDAP server (containing all users of the university, including ours).
I have no control over the central LDAP server so I have to take what I can get. I want to override the shell as well as the gid.

In Debian the following worked in the /etc/ldap.conf

# Do not want default korn shell
nss_override_attribute_value loginShell /bin/bash
# Set gid to 100- not nice but works for my case...
nss_override_attribute_value gidNumber 100

Iam new to CentOS. I have the impression that it worked in 5.x(?) but it has no effect in my 6.5 installation.
=> Is there a convenient way to override the shell and gid when using PAM LDAP?

Thank you for any hints of ideas.

Best,

Rüdiger

User avatar
TrevorH
Forum Moderator
Posts: 26320
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PAM LDAP - Overriding attributes

Post by TrevorH » 2014/05/23 07:42:31

Did you try changing /etc/pam_ldap.conf?
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

oakenshield
Posts: 3
Joined: 2014/05/23 05:30:04

Re: PAM LDAP - Overriding attributes

Post by oakenshield » 2014/05/23 08:51:31

Hello,
yes- I put the override into the /etc/pam_ldap.conf (see below). It's my standard procedure when setting up a new server.
It does not have the effect as expected. But then- nss_override_attribute_value is not documented in the man page of pam_ldap.
So I guess I have to look for an alternative way to force a specific gid and shell. Or maybe it should work?
I could not find any recent discussion about this topic.

Code: Select all

uri ldaps://[...] ldaps://[...]
base ou=[...]
timelimit 10
bind_timelimit 5
idle_timelimit 3600
ssl on
tls_cacertfile /etc/ssl/ca-bundle.crt
pam_password crypt
nss_base_passwd [...]
nss_base_group [...]
bind_policy soft
pam_min_uid 1000
nss_override_attribute_value loginShell /bin/bash
nss_override_attribute_value gidNumber 100
# Add all local system users here (typically user-id < 1000)
nss_initgroups_ignoreusers 

User avatar
TrevorH
Forum Moderator
Posts: 26320
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PAM LDAP - Overriding attributes

Post by TrevorH » 2014/05/23 09:31:22

The only thing I could find on a quick google search was http://linux.web.cern.ch/linux/docs/account-mgmt.shtml - specifically the bit right down the bottom about using nslcd and map but it would appear to override for everyone which may not be quite what you wanted?
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

oakenshield
Posts: 3
Joined: 2014/05/23 05:30:04

Re: PAM LDAP - Overriding attributes

Post by oakenshield » 2014/05/23 12:12:14

In fact it perfectly fits my needs:

/etc/nslcd.conf:

Code: Select all

[...]
map    passwd loginShell       "/bin/bash"
map    passwd gidNumber     "100"
/etc/init.d/nslcd restart

Thank you!

Post Reply