Also much documentation on the internet is plain wrong and untested.
For example people will say this is ok:
#%PAM-1.0
auth sufficient pam_ldap.so
auth include system-auth
account required pam_nologin.so
account sufficient pam_ldap.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so
Its not:
#%PAM-1.0
auth sufficient pam_ldap.so
auth include system-auth
account required pam_nologin.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore authinfo_unavail=ignore]
pam_ldap.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so
On Wed, Feb 3, 2010 at 5:38 PM, Tom Lanyon <tom at netspot.com.au> wrote:
> On 04/02/2010, at 7:29 AM, Sean Carolan wrote:
>> If I stop the LDAP server though, I'm unable to log onto this server
>> with my ssh key or password. ?Is there a way to keep shadow passwords
>> as a failover method for logging in if the LDAP server is down?
>
> What is listed in your /etc/nsswitch.conf for passwd, shadow and group?
>
> If you do not have an entry for 'files' then the local /etc/{passwd,shadow,group} files will not be searched.
>
> Hope this helps.
>
> Tom
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
