> -----Original Message-----
> From: Howard Chu [mailto:
hyc@...]
> > what can I do to allow locally defined users to log in while LDAP is
> > unavailable?
>
> Sounds like you just need to tweak the success config in
> pam.conf - I use "sufficient" and it just falls back to
> pam_unix if pam_ldap fails.
Here are the relevant parts of my pam config:
account required pam_ldap.so ignore_unknown_user
ignore_authinfo_unavail
account required pam_unix2.so
auth required pam_env.so
auth sufficient pam_unix2.so
auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
auth required pam_deny.so
password required pam_pwcheck.so nullok
password required pam_ldap.so try_first_pass ignore_unknown_user
ignore_authinfo_unavail
password required pam_unix2.so nullok use_authtok
session required pam_limits.so
session optional pam_ldap.so ignore_authinfo_unavail
session required pam_unix2.so
The 'ignore_authinfo_unavail' options were all added today. It works the
same in this situation with or without.
I wonder if it's failing in 'account'. It seems like I had to have it
the way I have it, to make something important work correctly. I may
have to dig back through my notes. I think it may have been related to
LDAP password policy enforcement.
ok
r.
