mod_ldap config for two ldap servers

[Tom Ryan]

can't you just put

host server1 server2

in ldap.conf?

Tom

On Thu, 9 Sep 2004, Kaleb Pederson wrote:

> I'm trying to get mod_ldap stacked so that it will search two different ldap
> servers on ssh authentication.  If I use either the first configuration or
> the second configuration it works fine.  When I try to stack the modules so
> that it will fallback to the second ldap server on failure, the first entry
> will work (whichever one it may be), but the second one never gets queried --
> (verified with tcpdump).
>
> I'm sure I've missed something as I don't fully understand how the different
> pieces (auth/account/password/session) interact.  Can anybody lead me in the
> right direction?
>
> The error that I get is:
> ... sshd(pam_unix)[32554]: authentication failure; logname= uid=0 euid=0
> tty=NODEVssh ruser= ...
>
> ---- /etc/pam.d/sshd ----
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    required     pam_limits.so
> session    optional     pam_console.so
>
> ---- /etc/pam.d/system-auth ----
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> # if I swap the next two, whichever one is first works
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        sufficient    /lib/security/$ISA/pam_ldap.so
> config=/etc/secondary.ldap.conf use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore service_err=ignore
> system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
> password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow
> # if I swap the next two, whichever one is first works
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    sufficient    /lib/security/$ISA/pam_ldap.so
> config=/etc/secondary.ldap.conf use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
> # if I add in a second ldap entry here, neither of them will work
> #session     optional      /lib/security/$ISA/pam_ldap.so
> config=/etc/secondary.ldap.conf
>
> Thanks for the help.
>
> --Kaleb
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>

_______________________________________________________________________
Tom Ryan                                            Voice: 856-225-6361
Consulting System Administrator                       Fax: 856-969-7900
Rutgers School of Law - Camden               IT Help Desk: 856-225-2343