[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_check_host_attr and pam_check_service_attr when LDAP down

To: Reed Sandberg <reed@boxitllc.com>
Subject: Re: pam_check_host_attr and pam_check_service_attr when LDAP down
From: Ezsra McDonald <Ezsra_McDonald@yahoo.com>
Date: Mon, 01 Mar 2004 08:52:37 -0600
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3138.216.36.77.138.1078009509.squirrel@webmail.boxitllc.com>
References: <2030.216.36.77.138.1077906354.squirrel@webmail.boxitllc.com> <20040227204818.96162.qmail@web20505.mail.yahoo.com> <3138.216.36.77.138.1078009509.squirrel@webmail.boxitllc.com>

Are you using pam_check_host_attr and pam_check_service_attr parameters
in your ldap.conf file? According to what I read you have to set:

account    required   /lib/security/pam_ldap.so

You have it set to sufficient.

--Ezsra

On Sat, 2004-02-28 at 17:05, Reed Sandberg wrote:
> I haven't had any problems on my system - though there is a delay if LDAP
> is down when logging in with a local user, my /etc/pam.d/sshd:
> #%PAM-1.0
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient    /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_pwdb.so shadow nodelay
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_pwdb.so
> password   required     /lib/security/pam_cracklib.so
> password   sufficient   /lib/security/pam_ldap.so
> password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
> session    required     /lib/security/pam_pwdb.so
> session    required     /lib/security/pam_limits.so
> 
> 
> -Reed
> 
> > My nsswitch.conf contains:
> >
> > passwd:     files ldap
> > group:      ldap files
> > passwd_compat: files ldap
> > shadow:     files ldap
> > sudoers:    files ldap
> >
> > My pam config contains:
> >
> > other   account required
> > /usr/lib/security/pam_ldap.so.1
> > other   account required
> > /usr/lib/security/pam_unix.so.1
> >
> > It does not work if LDAP is down.
> >
> > --- Reed Sandberg <reed@boxitllc.com> wrote:
> >> Locally defined users may still login if you have
> >> 'passwd' set correctly
> >> in /etc/nsswitch.conf:
> >> passwd:     files ldap
> >>
> >> -Reed
> >>
> >> > Greetings everyone,
> >> >
> >> > I just want to confirm that I understand these two
> >> > settings.
> >> >
> >> > For them to work the pam ldap account entry has to
> >> be
> >> > set to 'required'. If pam ldap account is required
> >> > then if LDAP is down no one, not even locally
> >> defined
> >> > users, can login.
> >> >
> >> > Is my understanding of these settings correct?
> >> >
> >> > Is there a way to allow locally defined users to
> >> login
> >> > if LDAP is down?
> >> >
> >> > Good day,
> >> > --Ezsra
> >> >
> >> > __________________________________
> >> > Do you Yahoo!?
> >> > Get better spam protection with Yahoo! Mail.
> >> > http://antispam.yahoo.com/tools
> >>
> >>
> >>
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Get better spam protection with Yahoo! Mail.
> > http://antispam.yahoo.com/tools
> 
> 
>

Prev by Date: Re: help, openldap-2.1.xx, host attribute - I try, try, try....and nothing :(
Next by Date: Unable to run SASL using GSSAPI/kerberos 5 as authentication agai nst Sun One Directory Server
Index(es):
- Chronological
- Thread