ldap authentication fallback to system authentication problem]

Robin M. robin at primus.ca
Tue Apr 20 04:25:17 UTC 2004 

On Mon, 19 Apr 2004, Ken Sorensen wrote:
> > Hi I have used the setup tool provded with redhat to use ldap for system
> > authentication. I can see that it correctly modified my /etc/pam* files
> > and authentication over ssh works against the ldap database. I have
> > allowed root to ssh in and that account does not exist in my ldap database
> > but I guess it falls back to /etc/passwd as specified in
> > /etc/nsswitch.conf
> >
> > My problem is that when I shut ldap down the authentication fails
> > entirely, instead of just reading the /etc/passwd file.
> >
> > Does anyone know what config options I must set in order to allow the
> > system to read the /etc/passwd file if ldap is down ?
> >
>
> Hi Robin,
>      I ran into the same problem with all non '/etc/passwd' PAM
> authentication (LDAP, MySQL, Samba,...). First, I would suggest
> you add a generic user account to the '/etc/passwd' file for this
> purpose. I use a regular account to login, then 'su' to the root
> account. If you add 'pam_localuser.so' to the '/etc/pam.d/system-auth'
> file before any of the external authentication entries (pam_ldap.so,
> etc.), you should be able to authenticate with the passwd file before
> any other authentication methods. Be careful with where you put the
> 'pam_localuser.so' entry. I believe if you put it in a 'session' entry,
> it will allow you to login to the server without a password if the
> account exists in '/etc/passwd'.
>
> Entry in '/etc/pam.d/system-auth':
> password sufficient /lib/security/$ISA/pam_localuser.so
>
Thanks Ken that did help indeed. I tried a couple variations on your post
and googled a bit with your information and came up with this psot from
the openldap list
http://www.openldap.org/lists/openldap-software/200302/msg00204.html

The thread also talked about removing user_unknow=ignore, but I will leave
it until I understand wether or not I need to change it.

The /etc/pam.d/system-auth I ended up with is

<snip>
auth      required      /lib/security/$ISA/pam_env.so
auth      sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth      sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth      required      /lib/security/$ISA/pam_deny.so

account   required      /lib/security/$ISA/pam_unix.so
account   sufficient    /lib/security/$ISA/pam_localuser.so
account   [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password  required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password  sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password  sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password  required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
</snip>

More information about the redhat-list mailing list