[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap and login



Add following to /etc/pam.d/system-auth or /etc/pam.d/passwd:

account     sufficient    /lib/security/pam_localuser.so


Simon Gao


Mike Brodbelt wrote:

Hi,

Using OpenLDAP 2.0.23, I've got an LDAP directory set up, and I've
installed pam_ldap and nss_ldap on the machine. I've fiddled with the
PAM config files so that su/login/ftp/ssh/cron/passwd all work as
expected, on information stored in LDAP, but I've got one outstanding
problem.

The local /etc/passwd contains the root user account - this is the way I
want it, so at least root can log in and do stuff if LDAP isn't working.
However, I can't get it working so that root and LDAP users can change
passwords. However I change the /etc/pam.d/passwd file, I can get either
LDAP password changing working, or local, but not both. I want it to
attempt to change the password in LDAP first, and then fall back to
local password changing if the user doesn't exist in LDAP, but it won't
play:-

/etc/pam.d/passwd
=======================================
password sufficient pam_ldap.so
password required   pam_unix.so nullok obscure min=4 max=8 md5
use_first_pass


For an user in LDAP, but not in /etc/passwd:-

[fred@nunki fred]$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for fred
passwd: password updated successfully

For root:-

[root@nunki pam.d]# passwd
passwd: Authentication information cannot be recovered


Any help would be much appreciated.

Mike.