Hi
How do I restack these pam rules so auth type of ldap service
will still be a PAM_SUCCESS and seamless to the user even
when ldap server is unavailable?
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
I noticed pam_ldap module has the following argument
ignore_authinfo_unavail
Specifies that pam_ldap should return PAM_IGNORE if it
cannot contact the LDAP server. This option forces
the PAM framework to ignore the pam_ldap module in this case.
I am thinking of stacking it like this. So if ldap server unavailable,
pam_ldap will
be ignored and it will let the users' in if listed in local passwd
file. However, I
need to make sure when ldap server available, if the pam_ldap fails this stack
will fail and not allow user with invalide ldap passwd.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
auth sufficient pam_localuser file=/path/to/local/passwd/file
auth required pam_deny.so
Please advise
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
