此内容没有您所选择的语言版本。

30.3.2. Configuring the PAM Service


Warning

A mistake in the PAM configuration file can lock users out of the system completely. Always back up the configuration files before performing any changes, and keep a session open so that any changes can be reverted.
SSSD provides a PAM module, sssd_pam, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
To configure the PAM service:
  1. The Authentication Configuration tool automatically writes to the /etc/pam.d/system-auth-ac file, which is symlinked to /etc/pam.d/system-auth. Any changes made to /etc/pam.d/system-auth are overwritten the next time that authconfig is run.
    So, remove the /etc/pam.d/system-auth symlink.
    [root@server ~]# rm /etc/pam.d/system-auth
    rm: remove symbolic link `/etc/pam.d/system-auth'? y
  2. Create a new /etc/pam.d/system-auth-local file. One easy way to do this is simply to copy the /etc/pam.d/system-auth-ac file.
    [root@server ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-local
  3. Create a new symlink between the /etc/pam.d/system-auth-local file and /etc/pam.d/system-auth.
    [root@server ~]# ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
  4. Edit the /etc/pam.d/system-auth-local file, and add all of the SSSD modules to the PAM configuration:
    #%PAM-1.0
    ...
    auth        sufficient    pam_sss.so use_first_pass
    auth        required      pam_deny.so
    
    ...
    account [default=bad success=ok user_unknown=ignore] pam_sss.so
    account     required      pam_permit.so
    
    ...
    password    sufficient    pam_sss.so use_authtok
    password    required      pam_deny.so
    
    ...
    session     sufficient    pam_sss.so
    session     required      pam_unix.so
    These modules can be set to include statements, as necessary.
  5. Open the sssd.conf file.
    # vim /etc/sssd/sssd.conf
  6. Make sure that PAM is listed as one of the services that works with SSSD.
    [sssd]
    config_file_version = 2
    reconnection_retries = 3
    sbus_timeout = 30
    services = nss, pam
  7. In the [pam] section, change any of the PAM parameters. These are listed in Table 30.2, “SSSD [pam] Configuration Parameters”.
    [pam]
    reconnection_retries = 3
    offline_credentials_expiration = 2
    offline_failed_login_attempts = 3
    offline_failed_login_delay = 5
  8. Restart SSSD.
    [root@server ~]# service sssd restart
Table 30.2. SSSD [pam] Configuration Parameters
Parameter Value Format Description
offline_credentials_expiration integer Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (0), which is unlimited.
offline_failed_login_attempts integer Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (0), which is unlimited.
offline_failed_login_delay integer Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (0), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5).
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.