[Freeipa-users] pam su configuration to ignore certain ipa/ldap users
KodaK
sakodak at gmail.com
Tue Aug 7 17:33:15 UTC 2012
I've figured this out on AIX. If anyone googles this later:
in /etc/security/user
the default: stanza needs to have:
system = "compat or KRB5ALXAP or LDAP"
instead of:
SYSTEM = "KRB5ALXAP or LDAP or compat"
It could probably be done other ways (using PAM,) but this was easiest for now.
On Tue, Aug 7, 2012 at 10:02 AM, KodaK <sakodak at gmail.com> wrote:
> I have an unusual situation. Our DBAs want different passwords for
> the oracle account
> on production and development machines. I'm using local
> authentication for oracle
> on all the boxes, but they're also not allowed to log in directly as
> oracle, only su, but
> su always wants to go to ldap first.
>
> Does anyone know what I need to do to get su to look at local auth
> first, then go to
> ldap?
>
> Another consideration is that this is AIX. I'm pretty sure if given a
> Linux solution to
> this I could adapt (AIX *can* use PAM, it just doesn't by default.)
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
More information about the Freeipa-users
mailing list