[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

how to stack pam rules to success auth service even with ldap server unavailable



Hi

How do I restack these pam rules so auth type of ldap service
will still be a PAM_SUCCESS and seamless to the user even
when ldap server is unavailable?

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

I noticed pam_ldap module has the following argument

ignore_authinfo_unavail
              Specifies that pam_ldap should return PAM_IGNORE if it
cannot contact the LDAP server. This option forces
              the PAM framework to ignore the pam_ldap module in this case.

I am thinking of stacking it like this. So if ldap server unavailable,
pam_ldap will
be ignored and it will let the users' in if listed in local passwd
file. However, I
need to make sure when ldap server available, if the pam_ldap fails this stack
will fail and not allow user with invalide ldap passwd.

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass ignore_authinfo_unavail
auth        sufficient    pam_localuser file=/path/to/local/passwd/file
auth        required     pam_deny.so

Please advise


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]