I am running ubuntu 10.10 and trying to setup pam with pam_ldap.
The guide at: http://wiki.debian.org/LDAP/PAM says, among other things:
In order to globally enable LDAP authentication through PAM, configure /etc/pam_ldap.conf accordingly and edit the /etc/pam.d/common-* files so that they contain something like this:
/etc/pam.d/common-account:
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
Now, taking this one file as an example, I see:
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
My question is, do I remove the things currently in that file, replacing them with the ones from the guide - or so I append the things from the guide to the end of the file?
The second file you copied should already permit access via LDAP.
The first rule will attempt to authenticate through the standard unix mechanism ( passwd/shadow ). If that fails, then the second rule get's called and attempts to authenticate with pam_ldap. If that then fails, login is denied.
On a side note, when implementing PAM, don't forget to test things step by step.
Ensure that you can search via ldapsearch to verify that your /etc/pam_ldap and/or /etc/nss_ldap are configured correctly.
Also ensure that getent passwd / getent group returns both Unix and Ldap accounts to verify that your /etc/nsswitch.conf is configured correctly.