[WBEL-users] xscreensaver/LDAP problem
Jim Buchanan
bz73lg at eng.delcoelect.com
Thu Jan 27 08:19:02 CST 2005
At my company we are switching over to LDAP authentication.
We are running WBEL 3.0 Respin 1 (as well as some RedHat versions).
Using the man pages and Google, we got everything to accept LDAP
authentication through PAM except xscreensaver.
Some info/example files:
authconfig command used:
authconfig --disablemd5 --disableshadow --enablenis --nisdomain=<our NIS domain> --enableldaptls --enableldapauth --ldapserver="<our ldap servers>" --kickstart
/etc/pam.d/system-auth, generated by authconfig:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore syste
m_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok nis
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
/etc/pam.d/sudo:
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_pwdb.so shadow nullok use_first_pass
As you can see, we are using local/NIS authorization if LDAP fails, we
will have to remove this (well NIS, root still need to be able to log
in w/o LDAP) and rely solely on LDAP to please our auditors.
The problem is that we can't find a way to get xscreensaver to unlock
using PAM/LDAP. We've tried everything we've thought of in the
/etc/pam.d/xscreensaver file, it seems to make no difference. I'm
wondering if the file is even read, as gross errors in the file do not
change how xscreensaver behaves.
I've not included this file, as we've tried so many variations that it
would double the size of this post.
I downloaded the Liberation source code disks, and could not find
xscreensaver on any of them. So I downloaded the generic source from
jwz's site and compiled it, making sure to use the "--with-pam"
switch, which I had seen mentioned on posts found with Google as a
reason that some binaries of xscreensaver would not use PAM. No good,
it behaved exactly as the one provided with WBEL (except I think I saw
some new screen hacks).
Is there anything we missed? Has anyone gotten this to work?
At some point in the future we're going to get RHEL with support, but
politics are holding that back, and we need the problem solved before
then.
Thanks!
--
Jim Buchanan bz73lg at eng.delcoelect.com
========================================================================
"We already have a zillion minimalistic languages. CS departments are
full of 'em. Sometimes you have to go around stomping the little
beggars just to keep their population in check." -Larry Wall
========================================================================
More information about the Whitebox-users
mailing list