Hi How do I restack these pam rules so auth type of ldap service will still be a PAM_SUCCESS and seamless to the user even when ldap server is unavailable? auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so I noticed pam_ldap module has the following argument ignore_authinfo_unavail Specifies that pam_ldap should return PAM_IGNORE if it cannot contact the LDAP server. This option forces the PAM framework to ignore the pam_ldap module in this case. I am thinking of stacking it like this. So if ldap server unavailable, pam_ldap will be ignored and it will let the users' in if listed in local passwd file. However, I need to make sure when ldap server available, if the pam_ldap fails this stack will fail and not allow user with invalide ldap passwd. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail auth sufficient pam_localuser file=/path/to/local/passwd/file auth required pam_deny.so Please advise -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list