can't you just put host server1 server2 in ldap.conf? Tom On Thu, 9 Sep 2004, Kaleb Pederson wrote: > I'm trying to get mod_ldap stacked so that it will search two different ldap > servers on ssh authentication. If I use either the first configuration or > the second configuration it works fine. When I try to stack the modules so > that it will fallback to the second ldap server on failure, the first entry > will work (whichever one it may be), but the second one never gets queried -- > (verified with tcpdump). > > I'm sure I've missed something as I don't fully understand how the different > pieces (auth/account/password/session) interact. Can anybody lead me in the > right direction? > > The error that I get is: > ... sshd(pam_unix)[32554]: authentication failure; logname= uid=0 euid=0 > tty=NODEVssh ruser= ... > > ---- /etc/pam.d/sshd ---- > auth required pam_stack.so service=system-auth > auth required pam_nologin.so > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > session required pam_limits.so > session optional pam_console.so > > ---- /etc/pam.d/system-auth ---- > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > # if I swap the next two, whichever one is first works > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth sufficient /lib/security/$ISA/pam_ldap.so > config=/etc/secondary.ldap.conf use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so > account [default=bad success=ok user_unknown=ignore service_err=ignore > system_err=ignore] /lib/security/$ISA/pam_ldap.so > > password required /lib/security/$ISA/pam_cracklib.so retry=3 type= > password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok > md5 shadow > # if I swap the next two, whichever one is first works > password sufficient /lib/security/$ISA/pam_ldap.so use_authtok > password sufficient /lib/security/$ISA/pam_ldap.so > config=/etc/secondary.ldap.conf use_authtok > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > session optional /lib/security/$ISA/pam_ldap.so > # if I add in a second ldap entry here, neither of them will work > #session optional /lib/security/$ISA/pam_ldap.so > config=/etc/secondary.ldap.conf > > Thanks for the help. > > --Kaleb > > > _______________________________________________ > > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list > _______________________________________________________________________ Tom Ryan Voice: 856-225-6361 Consulting System Administrator Fax: 856-969-7900 Rutgers School of Law - Camden IT Help Desk: 856-225-2343 _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
