mod_ldap config for two ldap servers
Kaleb Pederson
kpederson at mail.ewu.edu
Thu Sep 9 16:07:12 UTC 2004
I'm trying to get mod_ldap stacked so that it will search two different ldap
servers on ssh authentication. If I use either the first configuration or
the second configuration it works fine. When I try to stack the modules so
that it will fallback to the second ldap server on failure, the first entry
will work (whichever one it may be), but the second one never gets queried --
(verified with tcpdump).
I'm sure I've missed something as I don't fully understand how the different
pieces (auth/account/password/session) interact. Can anybody lead me in the
right direction?
The error that I get is:
... sshd(pam_unix)[32554]: authentication failure; logname= uid=0 euid=0
tty=NODEVssh ruser= ...
---- /etc/pam.d/sshd ----
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
---- /etc/pam.d/system-auth ----
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
# if I swap the next two, whichever one is first works
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth sufficient /lib/security/$ISA/pam_ldap.so
config=/etc/secondary.ldap.conf use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
# if I swap the next two, whichever one is first works
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password sufficient /lib/security/$ISA/pam_ldap.so
config=/etc/secondary.ldap.conf use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
# if I add in a second ldap entry here, neither of them will work
#session optional /lib/security/$ISA/pam_ldap.so
config=/etc/secondary.ldap.conf
Thanks for the help.
--Kaleb
More information about the Pam-list
mailing list