Change all ldap modules to sufficient or optional or keep your ldap server running :-) -Brad Michael Kress wrote: >Hello, > >I tried to implement authentification to ldap via pam_ldap and I'm encountering >problems - I wonder if you could be a help to my problem: > >The problem in brief: After a conversion towards pam_ldap I can't login >anymore into my machine when the ldap server isn't started. >Imagine the scenario: The machine boots (normally it doesn't) ;-) and it >can't mount /var, so the slapd can't start up. > >As far as I've understood the sense of /etc/nsswitch.conf it determines the >order of usage of fall back services, i.e. if one service fails, the next one >will be consulted, and so on... > >So, my nsswitch.conf looks like: >... >passwd: files nisplus nis ldap >shadow: files nisplus nis ldap >group: files nisplus nis ldap >... > >(I tried some variations like: ldap files, etc.) > >Since I'm using redhat 7.2 I used authconfig which generated this >file: /etc/pam.d/system-auth ... after I instructed it to use ldap for >authentification: >-------------------------------------------------------------------------------- >#%PAM-1.0 ># This file is auto-generated. ># User changes will be destroyed the next time authconfig is run. >auth required /lib/security/pam_env.so >auth sufficient /lib/security/pam_unix.so likeauth nullok >auth sufficient /lib/security/pam_ldap.so use_first_pass >auth required /lib/security/pam_deny.so > >account required /lib/security/pam_unix.so >account required /lib/security/pam_ldap.so > >password required /lib/security/pam_cracklib.so retry=3 type= >password sufficient /lib/security/pam_unix.so nullok use_authtok nis >password sufficient /lib/security/pam_ldap.so use_authtok >password required /lib/security/pam_deny.so > >session required /lib/security/pam_limits.so >session required /lib/security/pam_unix.so >session optional /lib/security/pam_ldap.so >-------------------------------------------------------------------------------- > >So, I can login without any problems, no matter if this user is located in >/etc/passwd or in the ldap People database, but when I stop slapd, I can't >even log in as a /etc/passwd user (e.g. even root!). >Fortunaley I had a couple of other root shells open to this machine. :) >Is there any way to achieve this, to be able to login with a stopped slapd ? >Besides the HOWTOS, is there any documentation which handles exactly this >problem ? > >Thanks in advance for your help! > > Michael > >
