It's unclear what you're asking, but I'll make a stab at answering anyway. On Thu, Feb 5, 2009 at 14:38, Orion Poplawski <orion@xxxxxxxxxxxxx> wrote: > On our laptops we have local users defined in /etc/shadow for offline use. It's more a security question than a usability one, but why aren't you using nscd for such offline use instead of granting "dual" accounts? > We also authenticate against and LDAP server. Interestingly, when on the network a > user can log in with either the local or ldap password. I would have expected > only the local password to work. This doesn't make sense, perhaps you meant "off the network" or "only the LDAP password to work"? Your local passwords work anywhere because pam_unix is 'sufficient' on your stack before pam_ldap. Reverse that (and the *_first_pass args) if you want network authentication to be tried first. > system-auth: > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so It'll probably be more efficient (and readable) to use "pam_min_uid" in /etc/ldap.conf than to use the pam_succeed_if trick. Your prior question (about using SSHA hashes) now seems to indicate you're wanting to keep the local & network passwords in-sync. The best way would be to use cached credentials (via nscd) and forget about doing local users. Failing that, you could stack pam_ldap.so above pam_unix.so in the password module thus: password required pam_ldap.so password required pam_unix.so use_authtok That (use_authtok) will keep the passwords in-sync, but you won't be able to perform offline password changes. Changing pam_ldap to 'sufficient' would allow offline changes, but they'd be out-of-sync until you performed a successful online change. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
