Re: pam_ldap and login

[Johnny Casey <johnnycasey@sbcglobal.net>]

Hi,

This is really a pam or pam_ldap issue, however, and this page might 
point you in a better direction.

http://www.openldap.org/faq/data/cache/124.html

See below...

Mike Brodbelt wrote:
> Hi,
>
> Using OpenLDAP 2.0.23, I've got an LDAP directory set up, and I've
> installed pam_ldap and nss_ldap on the machine. I've fiddled with the
> PAM config files so that su/login/ftp/ssh/cron/passwd all work as
> expected, on information stored in LDAP, but I've got one outstanding
> problem.
>
> The local /etc/passwd contains the root user account - this is the way I
> want it, so at least root can log in and do stuff if LDAP isn't working.
> However, I can't get it working so that root and LDAP users can change
> passwords. However I change the /etc/pam.d/passwd file, I can get either
> LDAP password changing working, or local, but not both. I want it to
> attempt to change the password in LDAP first, and then fall back to
> local password changing if the user doesn't exist in LDAP, but it won't
> play:-
>
> /etc/pam.d/passwd
> =======================================
> password sufficient pam_ldap.so
> password required   pam_unix.so nullok obscure min=4 max=8 md5
> use_first_pass

You are missing "use_authtok".

About the above, I would probably have pam_unix before pam_ldap.  What 
order you have the two (pam_ldap and pam_unix) should be the same for 
account/auth/password.

It might also be good to specify which Linux distribution and what 
version you are using next time...

> For an user in LDAP, but not in /etc/passwd:-
>
> [fred@nunki fred]$ passwd
> Enter login(LDAP) password:
> New password:
> Re-enter new password:
> LDAP password information changed for fred
> passwd: password updated successfully
>
> For root:-
>
> [root@nunki pam.d]# passwd
> passwd: Authentication information cannot be recovered
>
>
> Any help would be much appreciated.
>
> Mike.