|
»
»
« Return to Thread: allowing local accounts when LDAP is unavailable?
Re: allowing local accounts when LDAP is unavailable?
by wrogers
::
Rate this Message:
You don't have to do anything with pam to get failover to /etc/passwd
if you have an LDAP outage, just use proper ordering of
/etc/nsswitch.conf
Wes
On Fri, May 1, 2009 at 16:57, Justin Lintz <jlintz@...> wrote:
> Some more information,
>
> It appears it's never timing out when trying to connect to the ldap
> server and falling back to local users. It just keeps trying even
> though I have set a 15 second timeout on the bind connection to ldap
>
>
> - Justin Lintz
>
>
>
> On Fri, May 1, 2009 at 4:55 PM, Justin Lintz <jlintz@...> wrote:
>> I too am running into this same issue on centos 5.3. Here is the
>> revelant information from my pam setup
>>
>> auth required pam_env.so
>> auth required pam_listfile.so onerr=fail item=group
>> sense=allow file=/etc/ldapgroups
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_ldap.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so broken_shadow
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass retry=3
>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password sufficient pam_ldap.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session required pam_unix.so
>> session optional pam_ldap.so
>>
>> - Justin Lintz
>>
>>
>>
>> On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
>> <raymond.j.stricklin@...> wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: Howard Chu [mailto:hyc@...]
>>>> > what can I do to allow locally defined users to log in while LDAP is
>>>
>>>> > unavailable?
>>>>
>>>> Sounds like you just need to tweak the success config in
>>>> pam.conf - I use "sufficient" and it just falls back to
>>>> pam_unix if pam_ldap fails.
>>>
>>> Here are the relevant parts of my pam config:
>>>
>>> account required pam_ldap.so ignore_unknown_user
>>> ignore_authinfo_unavail
>>> account required pam_unix2.so
>>>
>>> auth required pam_env.so
>>> auth sufficient pam_unix2.so
>>> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
>>> auth required pam_deny.so
>>>
>>> password required pam_pwcheck.so nullok
>>> password required pam_ldap.so try_first_pass ignore_unknown_user
>>> ignore_authinfo_unavail
>>> password required pam_unix2.so nullok use_authtok
>>>
>>> session required pam_limits.so
>>> session optional pam_ldap.so ignore_authinfo_unavail
>>> session required pam_unix2.so
>>>
>>>
>>> The 'ignore_authinfo_unavail' options were all added today. It works the
>>> same in this situation with or without.
>>>
>>> I wonder if it's failing in 'account'. It seems like I had to have it
>>> the way I have it, to make something important work correctly. I may
>>> have to dig back through my notes. I think it may have been related to
>>> LDAP password policy enforcement.
>>>
>>> ok
>>> r.
>>>
>>
>
if you have an LDAP outage, just use proper ordering of
/etc/nsswitch.conf
Wes
On Fri, May 1, 2009 at 16:57, Justin Lintz <jlintz@...> wrote:
> Some more information,
>
> It appears it's never timing out when trying to connect to the ldap
> server and falling back to local users. It just keeps trying even
> though I have set a 15 second timeout on the bind connection to ldap
>
>
> - Justin Lintz
>
>
>
> On Fri, May 1, 2009 at 4:55 PM, Justin Lintz <jlintz@...> wrote:
>> I too am running into this same issue on centos 5.3. Here is the
>> revelant information from my pam setup
>>
>> auth required pam_env.so
>> auth required pam_listfile.so onerr=fail item=group
>> sense=allow file=/etc/ldapgroups
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_ldap.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so broken_shadow
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass retry=3
>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password sufficient pam_ldap.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session required pam_unix.so
>> session optional pam_ldap.so
>>
>> - Justin Lintz
>>
>>
>>
>> On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
>> <raymond.j.stricklin@...> wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: Howard Chu [mailto:hyc@...]
>>>> > what can I do to allow locally defined users to log in while LDAP is
>>>
>>>> > unavailable?
>>>>
>>>> Sounds like you just need to tweak the success config in
>>>> pam.conf - I use "sufficient" and it just falls back to
>>>> pam_unix if pam_ldap fails.
>>>
>>> Here are the relevant parts of my pam config:
>>>
>>> account required pam_ldap.so ignore_unknown_user
>>> ignore_authinfo_unavail
>>> account required pam_unix2.so
>>>
>>> auth required pam_env.so
>>> auth sufficient pam_unix2.so
>>> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
>>> auth required pam_deny.so
>>>
>>> password required pam_pwcheck.so nullok
>>> password required pam_ldap.so try_first_pass ignore_unknown_user
>>> ignore_authinfo_unavail
>>> password required pam_unix2.so nullok use_authtok
>>>
>>> session required pam_limits.so
>>> session optional pam_ldap.so ignore_authinfo_unavail
>>> session required pam_unix2.so
>>>
>>>
>>> The 'ignore_authinfo_unavail' options were all added today. It works the
>>> same in this situation with or without.
>>>
>>> I wonder if it's failing in 'account'. It seems like I had to have it
>>> the way I have it, to make something important work correctly. I may
>>> have to dig back through my notes. I think it may have been related to
>>> LDAP password policy enforcement.
>>>
>>> ok
>>> r.
>>>
>>
>
« Return to Thread: allowing local accounts when LDAP is unavailable?
| Free embeddable forum powered by Nabble | Forum Help |
