May 2010 Archives


One of the entities for whom I regularly do work has requested that a server of theirs uses LDAP for authentication, and not the local password file. However, the system depends on the files to provide the user information (home directory, uid, gid, and so on). While the process has been documented in previous versions of RHEL, the process was again changed in RHEL 5. One of the fundamental requirements was that any access to LDAP use encryption. To this end, it was determined that the TLS method was sufficient, and supported by the LDAP vendor. The customer further dictated that the password changes would be implemented through a different mechanism. In RHEL 3 and RHEL 4, this alters the /etc/pam.d/system-auth file, adding or uncommenting the following primitives which have been highlighted:

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

In RHEL 5, these primitives have been moved to the /etc/ldap.conf file.  So to effect the same change, update /etc/ldap.conf, not /etc/pam.d/system-auth.

About this Archive

This page is an archive of entries from May 2010 listed from newest to oldest.

April 2010 is the previous archive.

August 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.