i guess this has been asked a thousand times before - but i haven't found anything in the docs and in google that could helped me.
probably you can do so. here we go:
i have set up heterogenous network (windows, macOS-X, linux) that is authenticating against an ldap-server. it works great.
however there are some woes with the linux-machines (all of which are debian-based)
i have both libnss-ldap and libpam-ldap installed to make it work
NOW: when my ldap-server crashes, i cannot log in any more with local accounts (namely: root),which i consider quite bad.
now my setting is
/etc/pam.d/login: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_unix_auth.so auth required /lib/security/pam_ldap.so try_first_pass ...
(everywhere the sufficient pam_unix is before the required pam_ldap)
/etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ... (so "files" should be called before "ldap")
however when i disconnect a unix-machine from the net, i cannot login as root (which is of course kept in passwd/shadow)
i do guess, this is because pam_unix uses the nss-mechanism for authentication, which in turn is configured to use ldap (besides local files)
i don't want to kick out the "ldap" directive in the nsswitch.conf, because i'd like my usernames mapped to the correct user-IDs.
now my question: isn't there a simple pam-module that allows authentication against a passwd/shadow file-pair ?
i guess this is the whole fuzz about pam: to have a number of small modules that perform a special task, like authentication against a special-system.
mfg.asd.r IOhannes
-- IEM - network operation center mailto:noc@xxxxxx
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
