When I try to log in as root, the PAM stack uses LDAP to check the password.
How can I prevent this ? I'd like to have a set of local users, so that PAM looks up in LDAP only if the user doesn't exist on the system.
I've put everywhere pam_unix.so as 'sufficient' and before pam_ldap.so, but to no avail :(
Here is my /etc/pam.d/system-auth :
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_mount.so
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
account sufficient /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_mount.so session sufficient /lib/security/$ISA/pam_unix.so session sufficient /lib/security/$ISA/pam_ldap.so
Thanks a lot,
-- Damiano ALBANI
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
