[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pam_check_host_attr and pam_check_service_attr when LDAP down
- To: Reed Sandberg <reed@boxitllc.com>
- Subject: Re: pam_check_host_attr and pam_check_service_attr when LDAP down
- From: Ezsra McDonald <Ezsra_McDonald@yahoo.com>
- Date: Mon, 01 Mar 2004 08:52:37 -0600
- Cc: openldap-software@OpenLDAP.org
- In-reply-to: <3138.216.36.77.138.1078009509.squirrel@webmail.boxitllc.com>
- References: <2030.216.36.77.138.1077906354.squirrel@webmail.boxitllc.com> <20040227204818.96162.qmail@web20505.mail.yahoo.com> <3138.216.36.77.138.1078009509.squirrel@webmail.boxitllc.com>
Are you using pam_check_host_attr and pam_check_service_attr parameters
in your ldap.conf file? According to what I read you have to set:
account required /lib/security/pam_ldap.so
You have it set to sufficient.
--Ezsra
On Sat, 2004-02-28 at 17:05, Reed Sandberg wrote:
> I haven't had any problems on my system - though there is a delay if LDAP
> is down when logging in with a local user, my /etc/pam.d/sshd:
> #%PAM-1.0
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_pwdb.so shadow nodelay
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_pwdb.so
> password required /lib/security/pam_cracklib.so
> password sufficient /lib/security/pam_ldap.so
> password required /lib/security/pam_pwdb.so shadow nullok use_authtok
> session required /lib/security/pam_pwdb.so
> session required /lib/security/pam_limits.so
>
>
> -Reed
>
> > My nsswitch.conf contains:
> >
> > passwd: files ldap
> > group: ldap files
> > passwd_compat: files ldap
> > shadow: files ldap
> > sudoers: files ldap
> >
> > My pam config contains:
> >
> > other account required
> > /usr/lib/security/pam_ldap.so.1
> > other account required
> > /usr/lib/security/pam_unix.so.1
> >
> > It does not work if LDAP is down.
> >
> > --- Reed Sandberg <reed@boxitllc.com> wrote:
> >> Locally defined users may still login if you have
> >> 'passwd' set correctly
> >> in /etc/nsswitch.conf:
> >> passwd: files ldap
> >>
> >> -Reed
> >>
> >> > Greetings everyone,
> >> >
> >> > I just want to confirm that I understand these two
> >> > settings.
> >> >
> >> > For them to work the pam ldap account entry has to
> >> be
> >> > set to 'required'. If pam ldap account is required
> >> > then if LDAP is down no one, not even locally
> >> defined
> >> > users, can login.
> >> >
> >> > Is my understanding of these settings correct?
> >> >
> >> > Is there a way to allow locally defined users to
> >> login
> >> > if LDAP is down?
> >> >
> >> > Good day,
> >> > --Ezsra
> >> >
> >> > __________________________________
> >> > Do you Yahoo!?
> >> > Get better spam protection with Yahoo! Mail.
> >> > http://antispam.yahoo.com/tools
> >>
> >>
> >>
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Get better spam protection with Yahoo! Mail.
> > http://antispam.yahoo.com/tools
>
>
>