From: Amos Gouaux (+)
Date: Wed Aug 08 2001 - 10:06:17 EDT
>>>>> On Wed, 08 Aug 2001 02:11:28 -0700,
>>>>> David Wright <> (dw) writes:
dw> The pwcheck distributed with cyrus-sasl is not useful to me. My
dw> users are not in /etc/passwd -- they are ONLY in an LDAP
Configure your name switch so that getpwnam/getspnam lookups go out
through LDAP. If you've already got pam_ldap, then that's trivial.
The advantage to this is that your admin user, typically "cyrus",
does not have to be in LDAP too. So you don't want these folks to
login? Okay, either use tcpwrappers to block access and/or some PAM
module that restricts access (we do both).
dw> network. pam_ldap does this nicely, so any pwcheck daemon that did
dw> all this would basically be re-implementing the functionality of
dw> pam_ldap. Can you kindly point me to a pwcheck daemon that just
dw> calls PAM?
/etc/imapd.conf:
sasl_pwcheck_method: pwcheck
/usr/local/lib/sasl/Cyrus.conf:
pwcheck_method: pwcheck
Then just configure your nsswitch to use ldap. The above is from a
Solaris system, but from the PAM stuff I've dealt with on Linux, I
think this should be pretty similar. This is the nsswitch.conf
we've got on a Redhat box:
passwd: files ldap
group: files ldap
-- Amos
|
|
|