|
»
»
« Return to Thread: allowing local accounts when LDAP is unavailable?
Re: allowing local accounts when LDAP is unavailable?
by jlintz
::
Rate this Message:
I too am running into this same issue on centos 5.3. Here is the
revelant information from my pam setup
auth required pam_env.so
auth required pam_listfile.so onerr=fail item=group
sense=allow file=/etc/ldapgroups
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
- Justin Lintz
On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
<raymond.j.stricklin@...> wrote:
>
>
>> -----Original Message-----
>> From: Howard Chu [mailto:hyc@...]
>> > what can I do to allow locally defined users to log in while LDAP is
>
>> > unavailable?
>>
>> Sounds like you just need to tweak the success config in
>> pam.conf - I use "sufficient" and it just falls back to
>> pam_unix if pam_ldap fails.
>
> Here are the relevant parts of my pam config:
>
> account required pam_ldap.so ignore_unknown_user
> ignore_authinfo_unavail
> account required pam_unix2.so
>
> auth required pam_env.so
> auth sufficient pam_unix2.so
> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
> auth required pam_deny.so
>
> password required pam_pwcheck.so nullok
> password required pam_ldap.so try_first_pass ignore_unknown_user
> ignore_authinfo_unavail
> password required pam_unix2.so nullok use_authtok
>
> session required pam_limits.so
> session optional pam_ldap.so ignore_authinfo_unavail
> session required pam_unix2.so
>
>
> The 'ignore_authinfo_unavail' options were all added today. It works the
> same in this situation with or without.
>
> I wonder if it's failing in 'account'. It seems like I had to have it
> the way I have it, to make something important work correctly. I may
> have to dig back through my notes. I think it may have been related to
> LDAP password policy enforcement.
>
> ok
> r.
>
revelant information from my pam setup
auth required pam_env.so
auth required pam_listfile.so onerr=fail item=group
sense=allow file=/etc/ldapgroups
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
- Justin Lintz
On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
<raymond.j.stricklin@...> wrote:
>
>
>> -----Original Message-----
>> From: Howard Chu [mailto:hyc@...]
>> > what can I do to allow locally defined users to log in while LDAP is
>
>> > unavailable?
>>
>> Sounds like you just need to tweak the success config in
>> pam.conf - I use "sufficient" and it just falls back to
>> pam_unix if pam_ldap fails.
>
> Here are the relevant parts of my pam config:
>
> account required pam_ldap.so ignore_unknown_user
> ignore_authinfo_unavail
> account required pam_unix2.so
>
> auth required pam_env.so
> auth sufficient pam_unix2.so
> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
> auth required pam_deny.so
>
> password required pam_pwcheck.so nullok
> password required pam_ldap.so try_first_pass ignore_unknown_user
> ignore_authinfo_unavail
> password required pam_unix2.so nullok use_authtok
>
> session required pam_limits.so
> session optional pam_ldap.so ignore_authinfo_unavail
> session required pam_unix2.so
>
>
> The 'ignore_authinfo_unavail' options were all added today. It works the
> same in this situation with or without.
>
> I wonder if it's failing in 'account'. It seems like I had to have it
> the way I have it, to make something important work correctly. I may
> have to dig back through my notes. I think it may have been related to
> LDAP password policy enforcement.
>
> ok
> r.
>
« Return to Thread: allowing local accounts when LDAP is unavailable?
| Free embeddable forum powered by Nabble | Forum Help |
