pam + ldap problem (and NSS)

[IEM - Network Operation Center]

hi.

i guess this has been asked a thousand times before - but i haven't 
found anything in the docs and in google that could helped me.

probably you can do so.
here we go:

i have set up heterogenous network (windows, macOS-X, linux) that is 
authenticating against an ldap-server. it works great.

however there are some woes with the linux-machines (all of which are 
debian-based)
i have both libnss-ldap and libpam-ldap installed to make it work

NOW: when my ldap-server crashes, i cannot log in any more with local 
accounts (namely: root),which i consider quite bad.
now my setting is

/etc/pam.d/login:
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_unix_auth.so
auth       required     /lib/security/pam_ldap.so  try_first_pass
...

(everywhere the sufficient pam_unix is before the required pam_ldap)


/etc/nsswitch.conf
passwd:         files ldap
group:          files ldap
shadow:         files
...
(so "files" should be called before "ldap")

however when i disconnect a unix-machine from the net, i cannot login as 
root (which is of course kept in passwd/shadow)

i do guess, this is because pam_unix uses the nss-mechanism for 
authentication, which in turn is configured to use ldap (besides local 
files)

i don't want to kick out the "ldap" directive in the nsswitch.conf, 
because i'd like my usernames mapped to the correct user-IDs.

now my question: isn't there a simple pam-module that allows 
authentication against a passwd/shadow file-pair ?

i guess this is the whole fuzz about pam: to have a number of small 
modules that perform a special task, like authentication against a 
special-system.


mfg.asd.r
IOhannes





-- 
IEM - network operation center
mailto:noc at iem.at