Ce contenu n'est pas disponible dans la langue sélectionnée.
13.2.6. Configuring Services: PAM
Warning
A mistake in the PAM configuration file can lock users out of the system completely. Always back up the configuration files before performing any changes, and keep a session open so that any changes can be reverted.
SSSD provides a PAM module,
sssd_pam
, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
Procedure 13.3. Configuring PAM
- Use
authconfig
to enable SSSD for system authentication.# authconfig --update --enablesssd --enablesssdauth
This automatically updates the PAM configuration to reference all of the SSSD modules:#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficient pam_sss.so use_authtok
password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession sufficient pam_sss.so
session required pam_unix.soThese modules can be set toinclude
statements, as necessary. - Open the
sssd.conf
file.# vim /etc/sssd/sssd.conf
- Make sure that PAM is listed as one of the services that works with SSSD.
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss,
pam
- In the
[pam]
section, change any of the PAM parameters. These are listed in Table 13.3, “SSSD [pam] Configuration Parameters”.[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
- Restart SSSD.
~]# service sssd restart
Parameter | Value Format | Description |
---|---|---|
offline_credentials_expiration | integer | Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (0 ), which is unlimited. |
offline_failed_login_attempts | integer | Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (0 ), which is unlimited. |
offline_failed_login_delay | integer | Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (0 ), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5 ). |