[Pam-mysql-general] PAM order question

[Gary W. S. <ga...@pr...>]

I've trying to get shadow, ldap and mysql working in that order.  So far
I think I have it.  But I was wondering if I can get some comments from
people on the list if this is the best approach or not.  I also has a
question about configuration options.  Can the optional pam line
parameters be stored in the conf file?  And the final question is how
can I limit the users to only the active server automatically (assuming
I create a field in the database and put a proper where clause in)?

Below is the conf and pam setups. =20

-rw-------  1 root root 452 Jan  6 20:41 /etc/pam-mysql.conf

users.host =3D xxx;
users.database =3D xxx;
users.db_user =3D xxx;
users.db_passwd =3D xxx;
users.table =3D user;
users.user_column =3D user.user_name;
users.password_column =3D user.password;
users.status_column =3D user.status;
users.password_crypt =3D false;
users.use_323_password =3D false;
users.use_md5 =3D false;
users.update_table =3D false;
users.where_clause =3D ;
verbose =3D 1;
crypt =3D 2;
use_first_pass =3D true;
try_first_pass =3D false;
debug =3D true;

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_mysql.so use_first_pass
config_file=3D/etc/pam-mysql.conf
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=3Dbad success=3Dok user_unknown=3Dignore]
/lib/security/$ISA/pam_ldap.so
account     [default=3Dbad success=3Dok user_unknown=3Dignore]
/lib/security/$ISA/pam_mysql.so debug=3Dtrue
config_file=3D/etc/pam-mysql.conf
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3D3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    sufficient    /lib/security/$ISA/pam_mysql.so debug=3Dtrue
use_first_pass config_file=3D/etc/pam-mysql.conf
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/$ISA/pam_mysql.so
config_file=3D/etc/pam-mysql.conf
session   required   pam_mkhomedir.so   skel=3D/etc/skel   umask=3D0077

Any feedback would be greatly appreciated.

Gary Smith