Re: ldap authentication

"Richard Eames" <Richard.Eames@xxxxxxxxxxxxxxx> · Fri, 20 Sep 2002 09:11:45 +0930

We had the same problem and resolved it by putting 
[NOTFOUND=continue] in our nsswitch.conf

ie 

passwd:     files 
[NOTFOUND=continue] ldap 
shadow:     files 
[NOTFOUND=continue] ldap 
group:      files 
[NOTFOUND=continue] ldap

After that everything worked fine. Don't ask me why 
though! From my reading of the man pages this should be the default behaviour 
anyway. ie The nsswitch file says "look in files first and then LDAP", so I 
would have thought it would take the first match it found. What appears to 
happen is that it looks in files and then looks in LDAP as well and the NOTFOUND 
short circuits this.

  ----- Original Message ----- 
  From: 
  Philippe Joliet 
  To: pam-list@redhat.com 
  Sent: Thursday, September 19, 2002 11:29 
  PM
  Subject: ldap authentication

  Hello,

  First, I'm a newbie in the linux 
  world.

  Here is my problem, I had configured the linux 
  system to have user account into a ldap directory (openldap). I've used 
  authconfig to do so. It is working fine, no problems.

  But if the openldap daemon stop, nobody can login 
  anymore, even root!

  Something I don't understand, root is not into 
  the ldap directory but he needs that the ldap server is running.

  Is there anyone can help me please?

  Thanks

  Philippe Joliet

  P.S. my system-auth file is:

  #%PAM-1.0
# This file is auto-generated.
# 
  User changes will be destroyed the next time authconfig is 
  run.
auth        
  required      
  /lib/security/pam_env.so
auth        
  sufficient    /lib/security/pam_unix.so likeauth 
  nullok
auth        
  sufficient    /lib/security/pam_ldap.so 
  use_first_pass
auth        
  required      /lib/security/pam_deny.so

  account     
  required      
  /lib/security/pam_unix.so
account     [default=bad 
  success=ok user_unknown=ignore service_err=ignore system_err=ignore] 
  /lib/security/pam_ldap.so

  password    
  required      /lib/security/pam_cracklib.so retry=3 
  type=
password    sufficient    
  /lib/security/pam_unix.so nullok use_authtok md5 
  shadow
password    sufficient    
  /lib/security/pam_ldap.so use_authtok
password    
  required      /lib/security/pam_deny.so

  session     
  required      
  /lib/security/pam_limits.so
session     
  required      
  /lib/security/pam_unix.so
session     
  optional      
  /lib/security/pam_ldap.so