[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap and login

Add following to /etc/pam.d/system-auth or /etc/pam.d/passwd:

account     sufficient    /lib/security/pam_localuser.so

Simon Gao

Mike Brodbelt wrote:


Using OpenLDAP 2.0.23, I've got an LDAP directory set up, and I've
installed pam_ldap and nss_ldap on the machine. I've fiddled with the
PAM config files so that su/login/ftp/ssh/cron/passwd all work as
expected, on information stored in LDAP, but I've got one outstanding

The local /etc/passwd contains the root user account - this is the way I
want it, so at least root can log in and do stuff if LDAP isn't working.
However, I can't get it working so that root and LDAP users can change
passwords. However I change the /etc/pam.d/passwd file, I can get either
LDAP password changing working, or local, but not both. I want it to
attempt to change the password in LDAP first, and then fall back to
local password changing if the user doesn't exist in LDAP, but it won't

password sufficient pam_ldap.so
password required   pam_unix.so nullok obscure min=4 max=8 md5

For an user in LDAP, but not in /etc/passwd:-

[fred@nunki fred]$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for fred
passwd: password updated successfully

For root:-

[root@nunki pam.d]# passwd
passwd: Authentication information cannot be recovered

Any help would be much appreciated.