pam + ldap problem (and NSS)
IEM - Network Operation Center
noc at iem.at
Tue May 18 15:02:12 UTC 2004
hi.
i guess this has been asked a thousand times before - but i haven't
found anything in the docs and in google that could helped me.
probably you can do so.
here we go:
i have set up heterogenous network (windows, macOS-X, linux) that is
authenticating against an ldap-server. it works great.
however there are some woes with the linux-machines (all of which are
debian-based)
i have both libnss-ldap and libpam-ldap installed to make it work
NOW: when my ldap-server crashes, i cannot log in any more with local
accounts (namely: root),which i consider quite bad.
now my setting is
/etc/pam.d/login:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_unix_auth.so
auth required /lib/security/pam_ldap.so try_first_pass
...
(everywhere the sufficient pam_unix is before the required pam_ldap)
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files
...
(so "files" should be called before "ldap")
however when i disconnect a unix-machine from the net, i cannot login as
root (which is of course kept in passwd/shadow)
i do guess, this is because pam_unix uses the nss-mechanism for
authentication, which in turn is configured to use ldap (besides local
files)
i don't want to kick out the "ldap" directive in the nsswitch.conf,
because i'd like my usernames mapped to the correct user-IDs.
now my question: isn't there a simple pam-module that allows
authentication against a passwd/shadow file-pair ?
i guess this is the whole fuzz about pam: to have a number of small
modules that perform a special task, like authentication against a
special-system.
mfg.asd.r
IOhannes
--
IEM - network operation center
mailto:noc at iem.at
More information about the Pam-list
mailing list