# ldap and update system-auth

## Frautoincnam

Hi,

I use LDAP (openldap) for years now, but I'm not a specialist at all.

At the time I had followed the documentation https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP#Client_PAM_configuration_the_pam_ldap_module_method

to configure /etc/pam.d/system-auth client.

But, year after year, updates modify this file, and the documentation doesn't take care about that.

So now, I don't know what to do with my actual system-auth file.

For the moment, I have :

```
auth            required        pam_env.so

auth            sufficient      pam_unix.so try_first_pass likeauth nullok

auth            sufficient      pam_ldap.so use_first_pass

auth            optional        pam_permit.so

auth            required        pam_deny.so

auth            optional        pam_cap.so

account         sufficient      pam_ldap.so

account         required        pam_unix.so

account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        sufficient      pam_unix.so use_first_pass use_authtok nullok sha512 shadow

password        sufficient      pam_ldap.so use_authtok try_first_pass

password        optional        pam_permit.so

-session        optional        pam_elogind.so

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_permit.so

session         optional        pam_ldap.so
```

And all works fine.

But, the lastest sys-auth/pambase-20200917 update suggests me a new file, and if I add the same lines from the documentation, I get :

```
auth            required        pam_env.so

auth            required        pam_unix.so try_first_pass likeauth nullok

auth            sufficient      pam_ldap.so use_first_pass

auth            optional        pam_permit.so

auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600

auth            sufficient      pam_unix.so nullok try_first_pass

auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600

account         sufficient      pam_ldap.so

account         required        pam_unix.so

account         optional        pam_permit.so

account         required        pam_faillock.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf

password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        sufficient      pam_ldap.so use_authtok use_first_pass

password        optional        pam_permit.so

-session        optional        pam_libcap.so

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_ldap.so

session         optional        pam_permit.so
```

And I can't log with it.

Could an expert tell me what exactly to put that is consistent with the updates and my need, please ?

----------

## alamahant

Hi

NOT an expert but maybe you should try to modify the revised system-auth like this:

```

###auth            required        pam_unix.so try_first_pass likeauth nullok ###REPLACE THIS WITH:

auth            sufficient        pam_unix.so try_first_pass likeauth nullok

###password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow###AND THIS WITH:

password        sufficient        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

```

 :Very Happy: 

----------

## Frautoincnam

 *alamahant wrote:*   

> Hi
> 
> NOT an expert but maybe you should try to modify the revised system-auth like this:
> 
> ```
> ...

 

Works, thank you.

I hope I won't have any other problems. I really doesn't understand anything to this file. And it gets more and more complicated over the years

----------

## alamahant

It is not that complicated. 

"pam_unix.so"

is the pam module for local auth by checking if a user is found in "/etc/shadow".

"pam.ldap.so"

on the other hand is for network authenticating a user against an ldap dbase.

If you had left the first with the "required" flag that would have meant that UNLESS a user it a local user it would prohibit login.

By using "sufficient" you allow both.

If local-user OR network-user then authenticate.

The main thing that changed with pam is that "pam_cracklib.so" is deprecated in favor of "pam_passwdqc.so" both of which enforce password strength standards.

 :Very Happy: 

----------

## Frautoincnam

Ok, but why not for account and session ?

----------

## alamahant

There are four stanzas:

Auth

Account

Password

Session.

The first authenticates the user against a backend.In case of local this will be /etc/shadow.In case of ldap it will be an ldap dbase.There are other user store backends like for example kerberos and sssd,which is much preferable to plain ldap and acts as a great orchestrator of anything about authentication  etc.

The second checks if a specific user is INDEED allowed to login ie not expired etc.

The third allows password change by the user.

The fourth controls the session.

Your account seems ok.

If you need to have the users homedir created @login you can insert the following to the  beginning of the session stanza.

```

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077

```

 :Very Happy: 

----------

## Frautoincnam

Ok but what I asked, and what I don't understand is why I don't need to replace "required" by "sufficient" for account and session as I needed for auth and password.

But don't bother, I'll read some documentation to find out.

Thanks for all.

----------

## alamahant

Play with it.

Try to do as you say and see what happens.....

The important thing was to get you loged in.

Now you can fine tune it and study it as much as you like....

At least this is how I approach problems....

 :Very Happy: 

----------

## Frautoincnam

What is the point of having 2 lines auth pam_unix.so ?

Lastest pambase update gives :

```
# grep "^auth.*pam_unix" /etc/pam.d/._cfg0000_system-auth 

auth            required        pam_unix.so try_first_pass likeauth nullok

auth            sufficient      pam_unix.so nullok try_first_pass
```

EDIT : already there https://bugs.gentoo.org/747868

----------

## Frautoincnam

More and more complicated with the lastest update :

```
auth            required        pam_env.so

auth            requisite       pam_faillock.so preauth

auth            [success=1 default=ignore]      pam_unix.so nullok  try_first_pass

auth            [default=die]   pam_faillock.so authfail

auth            optional        pam_permit.so

-auth           optional        pam_cap.so

account         required        pam_unix.so

account         required        pam_faillock.so

account         optional        pam_permit.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf

password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        optional        pam_permit.so

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_permit.so
```

I had to try hard to get something working, without understanding a lot, and it seems I have to replace "[success=1 default=ignore]" by "sufficient". If not, if I have a password in /etc/shadow, login is rejected for some users (and not for all)...

```
auth            required        pam_env.so

auth            requisite       pam_faillock.so preauth

auth            sufficient      pam_unix.so nullok  try_first_pass

auth            sufficient      pam_ldap.so use_first_pass

auth            [default=die]   pam_faillock.so authfail

auth            optional        pam_permit.so

-auth           optional        pam_cap.so

account         sufficient      pam_unix.so

account         sufficient      pam_ldap.so

account         required        pam_faillock.so

account         optional        pam_permit.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf

password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        sufficient      pam_ldap.so use_authtok use_first_pass

password        optional        pam_permit.so

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_ldap.so

session         optional        pam_permit.so
```

```
diff -u system-auth.update system-auth

--- system-auth.orig    2020-11-06 12:33:22.020402183 -0400

+++ system-auth 2020-11-06 12:45:01.342993735 -0400

@@ -1,19 +1,24 @@

 auth           required        pam_env.so

 auth           requisite       pam_faillock.so preauth

-auth           [success=1 default=ignore]      pam_unix.so nullok  try_first_pass

+#auth          [success=1 default=ignore]      pam_unix.so nullok  try_first_pass

+auth           sufficient      pam_unix.so nullok  try_first_pass

+auth           sufficient      pam_ldap.so use_first_pass

 auth           [default=die]   pam_faillock.so authfail

 auth           optional        pam_permit.so

 -auth          optional        pam_cap.so

 

-account          required      pam_unix.so

-account         required        pam_faillock.so

-account         optional        pam_permit.so

+account          sufficient    pam_unix.so

+account          sufficient    pam_ldap.so

+account          required      pam_faillock.so

+account          optional      pam_permit.so

 

 password       required        pam_passwdqc.so config=/etc/security/passwdqc.conf

-password       required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

+password       sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow

+password       sufficient      pam_ldap.so use_authtok use_first_pass

 password       optional        pam_permit.so

 

 session          required      pam_limits.so

 session          required      pam_env.so

 session          required      pam_unix.so

+session          optional      pam_ldap.so

 session          optional      pam_permit.so
```

Anybody using ldap with pam_ldap here to verify that I do not jeopardize the security of my system ?

And subsidiary question (unrelated to ldap), do I need to modify ENCRYPT_METHOD in /etc/login.defs to SHA512 or is it useless ?

----------

## alamahant

Hi

Plz have a look at this

https://forums.gentoo.org/viewtopic-t-1127557-highlight-.html

----------

