[CentOS] Where to find RHDS (Red Hat Directory Server) ?

Tue May 29 20:39:56 UTC 2007
Les Mikesell <lesmikesell at gmail.com>

Wei Yu wrote:
> Could you give more details? I am not familiar with PAM.
> I know it can use some "plugged" auth methods to do some job, but I do 
> not know which plug is suitable.

If you are running Centos, all of your system authentication is probably 
being done by PAM for all programs that take a login and password except 
for apache.  If you run 'authconfig' you can set one or more methods 
that are then used by everything.  However, each service may still be 
configured separately.  If you look in the /etc/pam.d directory you will 
see a file for each service that contains the steps to follow.  The 
references to system-auth include the list built by authconfig - but you 
can change it per file if you want.

> What I want is just like Richardson's remarks. I want to use two auth 
> methods for web users and users who can have a shell, which the former 
> will care less about the security of the password. e.g. two different 
> passwords for them.
> I do want to know if there are better solutions.

If you really want your web access to be separate, PAM may not be the 
way to go.  Apache has a large number of internal authentication and 
authorization modules that can be used instead.  However, if you want to 
combine them, you can install the mod_auth_pam apache module and use a 
/etc/pam.d/httpd file like:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_permit.so

This uses the set of steps configured by authconfig to check a 
login/password pair but does not require any account info.  In my case I 
have smb authentication against a windows domain plus local linux 
accounts configured for the system. (The local account access requires 
making the /etc/shadow file readable by apache which is a downside). 
This lets anyone in the windows domain log in for web services but 
services like ssh or other login facilities will require account entries 
that won't exist unless I add users to the system.  In the latter case, 
either the domain or local passwords will work.

-- 
   Les Mikesell
    lesmikesell at gmail.com