Can log in with either local(shadow) or ldap password
RB
aoz.syn at gmail.com
Thu Feb 5 22:48:59 UTC 2009
It's unclear what you're asking, but I'll make a stab at answering anyway.
On Thu, Feb 5, 2009 at 14:38, Orion Poplawski <orion at cora.nwra.com> wrote:
> On our laptops we have local users defined in /etc/shadow for offline use.
It's more a security question than a usability one, but why aren't you
using nscd for such offline use instead of granting "dual" accounts?
> We also authenticate against and LDAP server. Interestingly, when on the network a
> user can log in with either the local or ldap password. I would have expected
> only the local password to work.
This doesn't make sense, perhaps you meant "off the network" or "only
the LDAP password to work"? Your local passwords work anywhere
because pam_unix is 'sufficient' on your stack before pam_ldap.
Reverse that (and the *_first_pass args) if you want network
authentication to be tried first.
> system-auth:
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
It'll probably be more efficient (and readable) to use "pam_min_uid"
in /etc/ldap.conf than to use the pam_succeed_if trick.
Your prior question (about using SSHA hashes) now seems to indicate
you're wanting to keep the local & network passwords in-sync. The
best way would be to use cached credentials (via nscd) and forget
about doing local users. Failing that, you could stack pam_ldap.so
above pam_unix.so in the password module thus:
password required pam_ldap.so
password required pam_unix.so use_authtok
That (use_authtok) will keep the passwords in-sync, but you won't be
able to perform offline password changes. Changing pam_ldap to
'sufficient' would allow offline changes, but they'd be out-of-sync
until you performed a successful online change.
More information about the Pam-list
mailing list