PAM configuration warning hints

6ceebca6 · Goik Martin · 218a73fb · 6ceebca6
Commit 6ceebca6 authored 4 years ago by Goik Martin
--- a/Doc/Sdi/ldap.xml
+++ b/Doc/Sdi/ldap.xml
@@ -1207,6 +1207,61 @@ modifying entry "olcDatabase={0}config,cn=config"</screen>
    <section xml:id="sdiSectLdapOsSupport">
      <title><xref linkend="glo_LDAP"/> based user login</title>

+      <caution xml:id="sdiSectLdapOsSupportPamCaution">
+        <para>In this exercise you'll modify your system's <quote
+        xlink:href="https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam">Pluggable
+        Authentication Modules (PAM)</quote>. You may
+        <emphasis>easily</emphasis> get locked out due to an unintended
+        misconfiguration. Stick to the following procedures avoiding this type
+        of mishap:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>Create a backup <filename>/root/pam.tgz</filename> of your
+            working <acronym>PAM</acronym> configuration being represented by
+            <filename>/etc/pam.conf</filename> and files below
+            <filename>/etc/pam.d</filename> beforehand:</para>
+
+            <screen>cd /etc
+tar zcf /root/pam.tgz pam.conf pam.d</screen>
+
+            <para>Check the resulting archive to contain something
+            like:</para>
+
+            <screen language="bash">root@sdi12b:~# tar ztf /tmp/pam.tgz 
+pam.conf
+pam.d/
+pam.d/newusers
+pam.d/sshd
+...
+pam.d/chfn
+pam.d/chsh</screen>
+          </listitem>
+
+          <listitem>
+            <para>Always keep an independent (emergency) shell open when
+            tinkering with <acronym>PAM</acronym>. In case you are no longer
+            able to log in <abbrev>i.e.</abbrev> using <xref
+            linkend="glo_ssh"/> this one allows for restoring your working
+            configuration:</para>
+
+            <screen language="bash">cd /etc
+mv pam.d pam.d.orig        # Save your current (not working) PAM
+mv pam.conf pam.conf.orig  # configuration for later inspection.
+
+tar zxf /root/pam.tgz      # Restore your working PAM configuration</screen>
+
+            <para>After this try to log in again.</para>
+          </listitem>
+
+          <listitem>
+            <para>Prior to rebooting (and thus loosing your emergency login
+            shell) always try logging in thereby testing your system's
+            accessibility.</para>
+          </listitem>
+        </orderedlist>
+      </caution>
+
      <para>Configure your second VM (the one without <xref
      linkend="glo_LDAP"/> Server) to allow for user login purely based on
      <xref linkend="glo_LDAP"/>.</para>