[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ldap authetification question

Change all ldap modules to sufficient or optional or keep your ldap server running :-)


Michael Kress wrote:


I tried to implement authentification to ldap via pam_ldap and I'm encountering
problems - I wonder if you could be a help to my problem:

The problem in brief: After a conversion towards pam_ldap I can't login
anymore into my machine when the ldap server isn't started.
Imagine the scenario: The machine boots (normally it doesn't) ;-) and it
can't mount /var, so the slapd can't start up.

As far as I've understood the sense of /etc/nsswitch.conf it determines the
order of usage of fall back services, i.e. if one service fails, the next one
will be consulted, and so on...

So, my nsswitch.conf looks like:
passwd:     files nisplus nis ldap
shadow:     files nisplus nis ldap
group:      files nisplus nis ldap

(I tried some variations like: ldap files, etc.)

Since I'm using redhat 7.2 I used authconfig which generated this
file: /etc/pam.d/system-auth ... after I instructed it to use ldap for
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok nis
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

So, I can login without any problems, no matter if this user is located in
/etc/passwd or in the ldap People database, but when I stop slapd, I can't
even log in as a /etc/passwd user (e.g. even root!). Fortunaley I had a couple of other root shells open to this machine. :)
Is there any way to achieve this, to be able to login with a stopped slapd ?
Besides the HOWTOS, is there any documentation which handles exactly this
problem ?

Thanks in advance for your help!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []