|
»
»
« Return to Thread: allowing local accounts when LDAP is unavailable?
Re: allowing local accounts when LDAP is unavailable?
by jlintz
::
Rate this Message:
Some more information,
It appears it's never timing out when trying to connect to the ldap
server and falling back to local users. It just keeps trying even
though I have set a 15 second timeout on the bind connection to ldap
- Justin Lintz
On Fri, May 1, 2009 at 4:55 PM, Justin Lintz <jlintz@...> wrote:
> I too am running into this same issue on centos 5.3. Here is the
> revelant information from my pam setup
>
> auth required pam_env.so
> auth required pam_listfile.so onerr=fail item=group
> sense=allow file=/etc/ldapgroups
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
> - Justin Lintz
>
>
>
> On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
> <raymond.j.stricklin@...> wrote:
>>
>>
>>> -----Original Message-----
>>> From: Howard Chu [mailto:hyc@...]
>>> > what can I do to allow locally defined users to log in while LDAP is
>>
>>> > unavailable?
>>>
>>> Sounds like you just need to tweak the success config in
>>> pam.conf - I use "sufficient" and it just falls back to
>>> pam_unix if pam_ldap fails.
>>
>> Here are the relevant parts of my pam config:
>>
>> account required pam_ldap.so ignore_unknown_user
>> ignore_authinfo_unavail
>> account required pam_unix2.so
>>
>> auth required pam_env.so
>> auth sufficient pam_unix2.so
>> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
>> auth required pam_deny.so
>>
>> password required pam_pwcheck.so nullok
>> password required pam_ldap.so try_first_pass ignore_unknown_user
>> ignore_authinfo_unavail
>> password required pam_unix2.so nullok use_authtok
>>
>> session required pam_limits.so
>> session optional pam_ldap.so ignore_authinfo_unavail
>> session required pam_unix2.so
>>
>>
>> The 'ignore_authinfo_unavail' options were all added today. It works the
>> same in this situation with or without.
>>
>> I wonder if it's failing in 'account'. It seems like I had to have it
>> the way I have it, to make something important work correctly. I may
>> have to dig back through my notes. I think it may have been related to
>> LDAP password policy enforcement.
>>
>> ok
>> r.
>>
>
It appears it's never timing out when trying to connect to the ldap
server and falling back to local users. It just keeps trying even
though I have set a 15 second timeout on the bind connection to ldap
- Justin Lintz
On Fri, May 1, 2009 at 4:55 PM, Justin Lintz <jlintz@...> wrote:
> I too am running into this same issue on centos 5.3. Here is the
> revelant information from my pam setup
>
> auth required pam_env.so
> auth required pam_listfile.so onerr=fail item=group
> sense=allow file=/etc/ldapgroups
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
> - Justin Lintz
>
>
>
> On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
> <raymond.j.stricklin@...> wrote:
>>
>>
>>> -----Original Message-----
>>> From: Howard Chu [mailto:hyc@...]
>>> > what can I do to allow locally defined users to log in while LDAP is
>>
>>> > unavailable?
>>>
>>> Sounds like you just need to tweak the success config in
>>> pam.conf - I use "sufficient" and it just falls back to
>>> pam_unix if pam_ldap fails.
>>
>> Here are the relevant parts of my pam config:
>>
>> account required pam_ldap.so ignore_unknown_user
>> ignore_authinfo_unavail
>> account required pam_unix2.so
>>
>> auth required pam_env.so
>> auth sufficient pam_unix2.so
>> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
>> auth required pam_deny.so
>>
>> password required pam_pwcheck.so nullok
>> password required pam_ldap.so try_first_pass ignore_unknown_user
>> ignore_authinfo_unavail
>> password required pam_unix2.so nullok use_authtok
>>
>> session required pam_limits.so
>> session optional pam_ldap.so ignore_authinfo_unavail
>> session required pam_unix2.so
>>
>>
>> The 'ignore_authinfo_unavail' options were all added today. It works the
>> same in this situation with or without.
>>
>> I wonder if it's failing in 'account'. It seems like I had to have it
>> the way I have it, to make something important work correctly. I may
>> have to dig back through my notes. I think it may have been related to
>> LDAP password policy enforcement.
>>
>> ok
>> r.
>>
>
« Return to Thread: allowing local accounts when LDAP is unavailable?
| Free embeddable forum powered by Nabble | Forum Help |
