mod_ldap config for two ldap servers
Tom Ryan
tomryan at camlaw.rutgers.edu
Thu Sep 9 18:20:05 UTC 2004
can't you just put
host server1 server2
in ldap.conf?
Tom
On Thu, 9 Sep 2004, Kaleb Pederson wrote:
> I'm trying to get mod_ldap stacked so that it will search two different ldap
> servers on ssh authentication. If I use either the first configuration or
> the second configuration it works fine. When I try to stack the modules so
> that it will fallback to the second ldap server on failure, the first entry
> will work (whichever one it may be), but the second one never gets queried --
> (verified with tcpdump).
>
> I'm sure I've missed something as I don't fully understand how the different
> pieces (auth/account/password/session) interact. Can anybody lead me in the
> right direction?
>
> The error that I get is:
> ... sshd(pam_unix)[32554]: authentication failure; logname= uid=0 euid=0
> tty=NODEVssh ruser= ...
>
> ---- /etc/pam.d/sshd ----
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session required pam_limits.so
> session optional pam_console.so
>
> ---- /etc/pam.d/system-auth ----
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> # if I swap the next two, whichever one is first works
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth sufficient /lib/security/$ISA/pam_ldap.so
> config=/etc/secondary.ldap.conf use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account [default=bad success=ok user_unknown=ignore service_err=ignore
> system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
> password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow
> # if I swap the next two, whichever one is first works
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password sufficient /lib/security/$ISA/pam_ldap.so
> config=/etc/secondary.ldap.conf use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
> # if I add in a second ldap entry here, neither of them will work
> #session optional /lib/security/$ISA/pam_ldap.so
> config=/etc/secondary.ldap.conf
>
> Thanks for the help.
>
> --Kaleb
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
_______________________________________________________________________
Tom Ryan Voice: 856-225-6361
Consulting System Administrator Fax: 856-969-7900
Rutgers School of Law - Camden IT Help Desk: 856-225-2343
More information about the Pam-list
mailing list