Enabling LDAP for Dropbear

Ratan Gupta ratagupt at linux.vnet.ibm.com
Wed Aug 29 03:30:17 AEST 2018


Hi Richard,

thx for the response.

Seems the pam config is not login, it is dropbear(/etc/pamd.d/dropbear)

Now in this file currently it is including the auth and the account module

cat /etc/pam.d/dropbear
#%PAM-1.0

auth     include  common-auth
account  include  common-account

So I added the session module and point to common-session and in the 
common session I had the following entrys.

session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ 
umask=0077 debug >>> pam_mkhomedir should have been created the directory.
session sufficient      pam_unix.so debug
session sufficient /lib/security/pam_ldap.so debug.

Ratan




On Tuesday 28 August 2018 09:46 PM, Thomaiyar, Richard Marian wrote:
> Ratan, which pam config file you tried. It should be done in 
> /etc/pam.d/login (Not tried this, but can give  a try)
>
> The problem with pam_mkhomedir.so is the home directory will not be 
> deleted after logout, and may end up with stale home directories (Need 
> to figure out a way for this?).
>
> Not aware about this  Autofs, need to understand about this, before 
> making any comment.
>
> regards,
> Richard
>
>
> On 8/28/2018 3:23 PM, Ratan Gupta wrote:
>> Hi All,
>>
>> As part of enable LDAP on the BMC,We are enabling the LDAP on the 
>> dropbear(ssh server) through pam configuration,I am facing a problem 
>> when the ssh client trying to connect the bmc through ssh.
>>
>> There are two steps involved when ssh client connect to the ssh server.
>> 1) Authentication
>> 2) Open the shell
>>
>> I could have seen that authentication gets success but opening the 
>> shell got failed since the home directory should be existing for the 
>> ldap user.
>>
>> To solve this I tried to make the following changes in the pam config 
>> file.
>>
>> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ 
>> umask=0077 debug >>> pam_mkhomedir should have been created the 
>> directory.
>> session sufficient      pam_unix.so debug
>> session sufficient /lib/security/pam_ldap.so debug
>>
>> Even after making the above changes I don't see that the home 
>> directory was created.
>>
>> NOTE:- If I create the directory in advance then I am not facing this 
>> problem.
>>
>> We have other option to solve this is to mount directories over 
>> network with the use of autofs service
>>
>> https://help.ubuntu.com/community/AutofsLDAP
>>
>> Can some body help me what could be other option to create the home 
>> directories and which one is used industry wise?
>>
>> Ratan
>>
>



More information about the openbmc mailing list