Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » How to configure PAM on Linux
  •  
mleo999

Messages: 3

Karma: 0
Send a private message to this user
Gang,

I must be thicker than a box of rocks ...

The documentation states:

Use this option to specify the name of the PAM service
(configuration file) used for authentication of users
in this domain. We recommend to use the keriomail PAM
service configuration file that ships with Kerio
MailServer installation. Details about PAM service
configuration can be found in the documentation to your
Linux distribution.

After installing the RPM and configuring KMS, I can't find
such a file anywhere on the system.

I combed through the forums and gleened that the file should
look like this:

#%PAM-1.0
auth required /lib/security/pam_unix_auth.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_unix_passwd.so nullok md5 shadow

So I put this file in /kerio/keriomail and put that filename
in the Domains->Advanced configuration. I restarted the
entire KMS system, but still no joy.

Now, I was worried it might have something to do with my
Linux authentication using OpenLDAP on another machine, so I
set up a "local" user, but still no joy.

Can somebody point me in the right direction. The logs aren't
revealing anything useful.

Thanks,




Mike Leo
Caribou Lake LLC
mleo<_at_>cariboulake.com
  •  
Petr Dobry (Kerio)

Messages: 776
Karma: 61
Send a private message to this user
mleo999 wrote on Fri, 09 September 2005 04:03

Gang,

After installing the RPM and configuring KMS, I can't find
such a file anywhere on the system.

So I put this file in /kerio/keriomail and put that filename
in the Domains->Advanced configuration. I restarted the
entire KMS system, but still no joy.



PAM configuration files are usually located at /etc/pam.d, where should be also keriomail file for KMS.

Petr Dobry
Product Development Manager | Kerio
  •  
mleo999

Messages: 3

Karma: 0
Send a private message to this user
OK. That was helpful. Thank you.

However, I still have one more problem.

Now I can authenticate against the UNIX passwd file,
but not the LDAP server.

What do I mean?

1. Created user "foo" as a "local" UNIX user, then
created it in KMS (authorized to PAM), and it works
perfectly.

2. Create user "bar" in KMS (already exists in LDAP).
Doesn't work.

Note that I can log into the UNIX system using either
account.

I tried changing the contents of /etc/pam.d/keriomail to

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so


But still no joy.

Please help!


Mike Leo
Caribou Lake LLC
mleo<_at_>cariboulake.com
  •  
mleo999

Messages: 3

Karma: 0
Send a private message to this user
OK, after restarting Kerio A few times, I now seem to be able to authenticate
properly via PAM for accounts only in LDAP.

However, I only seem to be able to authenticate via the web mail interface. I can't
seem to authenticate with POP. It might be a Eudora thing, so I will try LookOut on
Monday.

Mike Leo
Caribou Lake LLC
mleo<_at_>cariboulake.com
Previous Topic: Spell Check troubles in 6.1.0
Next Topic: KSP questions
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 14:27:29 CET 2017

Total time taken to generate the page: 0.00377 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.