sys-auth/pambase currently allows for auto-configuring a few optional pam modules, such as pam_mktemp and pam_ssh. I'd like to request that it also support the PAM setup for pam_ldap. I'll follow up in a few moments with my first pass at patches to accomplish that. I'm not a PAM expert, so be gentle. I'd certainly welcome any feedback. My changes take the form of an epatch, but would be integrated into the source files if accepted, since they are from Gentoo. Note 1: while the ldap stuff gets put in /etc/pam.d/system-auth, /etc/ldap.conf isn't touched since that's environment specific, but the user is warned that it needs to be set up. Failure to do so should not cause any login problems, though, if I understand correctly, because the ldap.so lines in system-auth do not interfere with normal UNIX-style authentication. Note 2: It didn't seem to me that any modification of /etc/pam.d/system-services was necessary. I could be wrong. :)
Created attachment 201464 [details, diff] Patch to pambase-20090620.1 source to add support for pam_ldap For the ebuild patch that will follow, this file should be placed in pambase's $FILESDIR/20090620.1/ldap.patch.
Created attachment 201466 [details, diff] Patch to pambase-20090620.1-r1.ebuild to enable LDAP support.
Created attachment 201473 [details, diff] Patch to pambase-20090620.1-r1.ebuild to enable LDAP support. Removed a completely unnecessary condition. Sorry about the repeat.
Almost forgot to credit the "Gentoo Guide to OpenLDAP Authentication" at http://www.gentoo.org/doc/en/ldap-howto.xml. My modifications to /etc/pam.d/system-auth are an adaptation of those suggested in that guide.
Since I have no clue about LDAP auth at all, I'd like to ask our resident LDAP guys to take a look at that as well. Mike, instead of a patch inside the ebuild, the best thing would be to just patch pambase in its GIT repository ( http://git.overlays.gentoo.org/gitweb/?p=proj/pambase.git;a=summary ), so you also would be credited. Only please try to keep with the style (tabulation and alignment).
Your ldap.patch is buggy that it keeps redeclaring "auth sufficent pam_ldap.so" Other than that, it's mostly ok. Depending on actual user needs, they might want to bring in the actual auth pam_ldap before auth pam_unix, with relevant changes to use_first_pass. Additionally, for the Gentoo infra, we do this for account: account required pam_unix.so account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam_ldap.so I also agree with Diego, that feeding this upstream (via Diego) is probably best. Maybe check up on the other distro's integration of pam_ldap to see that the inclusion would work out best.
Created attachment 201819 [details, diff] Patch to pambase-20090620.1 source to add support for pam_ldap. Doh! Can't believe I missed that. Cut and paste gone awry. :( I have a git patch ready. Is simply attaching that here the right procedure to submit it for upstream since upstream is Diego?
Created attachment 202165 [details, diff] git-formatted patch to pambase source Diego emailed me to let me know I should attach the git-formatted source patch, so here it is. Of course, the ebuild patch is needed, as well, except src_unpack() can be removed.
Comment on attachment 202165 [details, diff] git-formatted patch to pambase source It'll have to be reformed a bit, right now I added support for Kerberos auth, without using the sufficient stuff that would break desktop systems. The problem is integrating multiple stacks, I'll see what I can do.
Possibly implement LDAP just like kerberos is done, but with a check to make sure the USE flags are mutually exclusive (so that you can always use "success=1" instead of having to calculate how many lines to skip)? This type of structure wouldn't allow for authentication systems of more than one-service+unix, but such configurations have to be pretty rare, right? Right? :| Mike Nerone
Actually, in the new pambase I'm working on (branch m4 of the git repo) there is support for multiple authentication systems without the need for calculating skip lines.
What is the progress here? I would be interested in seeing this pushed to the tree.
I haven't had time to work on this in a very long time: it's a time consuming job and I don't have a direct use of it... I tried getting funded to work on it but nobody seems to be interested in that.. feel free to pick up my m4 branch and work on it if you have the time and interest...
I am really not experienced in pam, but I have interest in a easy straight forward way to setup pam. I will try to look into that, but be aware of questions from me.
pam_ldap is rather nonsense to add to pambase, lets go for sss