On Mon, 19 Apr 2004, Ken Sorensen wrote: > > Hi I have used the setup tool provded with redhat to use ldap for system > > authentication. I can see that it correctly modified my /etc/pam* files > > and authentication over ssh works against the ldap database. I have > > allowed root to ssh in and that account does not exist in my ldap database > > but I guess it falls back to /etc/passwd as specified in > > /etc/nsswitch.conf > > > > My problem is that when I shut ldap down the authentication fails > > entirely, instead of just reading the /etc/passwd file. > > > > Does anyone know what config options I must set in order to allow the > > system to read the /etc/passwd file if ldap is down ? > > > > Hi Robin, > I ran into the same problem with all non '/etc/passwd' PAM > authentication (LDAP, MySQL, Samba,...). First, I would suggest > you add a generic user account to the '/etc/passwd' file for this > purpose. I use a regular account to login, then 'su' to the root > account. If you add 'pam_localuser.so' to the '/etc/pam.d/system-auth' > file before any of the external authentication entries (pam_ldap.so, > etc.), you should be able to authenticate with the passwd file before > any other authentication methods. Be careful with where you put the > 'pam_localuser.so' entry. I believe if you put it in a 'session' entry, > it will allow you to login to the server without a password if the > account exists in '/etc/passwd'. > > Entry in '/etc/pam.d/system-auth': > password sufficient /lib/security/$ISA/pam_localuser.so > Thanks Ken that did help indeed. I tried a couple variations on your post and googled a bit with your information and came up with this psot from the openldap list http://www.openldap.org/lists/openldap-software/200302/msg00204.html The thread also talked about removing user_unknow=ignore, but I will leave it until I understand wether or not I need to change it. The /etc/pam.d/system-auth I ended up with is <snip> auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_localuser.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so </snip> -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
