Stricklin, Raymond J wrote:
>
> Folks;
>
> I'm running pam_ldap 180 on SuSE SLES 10 SP2. I just discovered that
> when the LDAP clients cannot access the LDAP server (for example, when
> the network goes down), users that are defined locally (i.e. root)
> cannot log in until LDAP becomes available again. This is a problem if,
> for example, LDAP cannot be reached because of a network configuration
> problem on the client.
>
> Apr 30 13:08:19 vm-ldap-2 login[1854]: pam_ldap: ldap_starttls_s: Can't
> contact LDAP server
>
> This text appears on the console:
>
> Error in service module
>
> I tried adding ignore_authinfo_unavailable to the options following
> pam_ldap.so in all the config files which refer to it. It didn't or
> change the behavior in any obvious way.
>
> Is this a bug in pam_ldap, or am I misunderstanding what
> ignore_authinfo_unavailable is designed to do? More importantly, what
> can I do to allow locally defined users to log in while LDAP is
> unavailable?
Sounds like you just need to tweak the success config in pam.conf - I use
"sufficient" and it just falls back to pam_unix if pam_ldap fails.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com Director, Highland Sun
http://highlandsun.com/hyc/ Chief Architect, OpenLDAP
http://www.openldap.org/project/
