Good morning Jesse. I have set up some thing similar to what you want, so thought I would give you some feedback. On Thu, 2003-11-27 at 01:36, Jesse Keating wrote: > So, I'm trying to set up a system here at work that uses LDAP for > central user auth, for both posix (nss_ldap) users, and for samba > users. For even more fun, I plan on automounting the user's home dirs > (and possibly other shares). These automounts will be based on the > login name and the password supplied at login time. I've found a tool > named pam_mount, that is supposed to take the password given at login > time and re-apply it later for mounting volumes. The problem is that > the documentation is extremely sparse, and I've no clue whether or not > it works with nss_ldap. Both pam_mount and nss_ldap work nicely together, the only file you should have to edit is the system-auth file, then all other systems should resort to this for authentication. The only thing that I did find was I had to place the pam mount entry ABOVE the ldap reference as below. auth optional /lib/security/$ISA/pam_mount.so use_first_pass auth sufficient /lib/security/$ISA/pam_ldap.so try_first_pass Other wise pam_mount would not pick up the used username/password combo, the optional/sufficient properties may also need tweaking for security : ) As a general rule, running the authconfig command sets every thing up that you need to get your pam subsytem authenticating against LDAP. Any service that is then capable of using pam, should be able to be workable with the LDAP directory. I know that samba/ssh etc is automaticly using the ldap backend. To get pam_mount to work just edit the file I mention in the manner above. > Do any of you fine folks know of a way that I can have a user's home dir > mounted at login time, based upon their login name and the password > they provided at login time? I'm trying to get around the insecurities > of NFS and host-based spoofs, by requiring that extra login before you > get the file system. Please don't suggest NIS(+) or NFS, unless you > have a way of securing NFS so that it requires a password as well as a > correct host, but can be done at login time, using LDAP user/pass. > > TIA! To get the home directories to mount you should be able to have a line some thing like this. volume * smb <server name> * /home/& uid=&,gid=Operations,fmask=0660,dmask=0770 - - That second asterisk may need to be an ampersand. The First asterisk is replaced with the username, the second asterisk may do they same, and the ampersands are also replaced with the username. With regards to the security, you could also try having all the machines placed in a VPN even on the local network, they you know that the machine is who it says it is, and the person logging on are also who they say they are. Dougie
