|
»
»
« Return to Thread: allowing local accounts when LDAP is unavailable?
Re: allowing local accounts when LDAP is unavailable?
by jlintz
::
Rate this Message:
nssswitch.conf is set to files ldap, for passwd, shadow and group, yet
the problem still exists.
- Justin Lintz
On Fri, May 1, 2009 at 10:16 PM, Weston Rogers <wrogers@...> wrote:
> You don't have to do anything with pam to get failover to /etc/passwd
> if you have an LDAP outage, just use proper ordering of
> /etc/nsswitch.conf
>
> Wes
>
> On Fri, May 1, 2009 at 16:57, Justin Lintz <jlintz@...> wrote:
>> Some more information,
>>
>> It appears it's never timing out when trying to connect to the ldap
>> server and falling back to local users. It just keeps trying even
>> though I have set a 15 second timeout on the bind connection to ldap
>>
>>
>> - Justin Lintz
>>
>>
>>
>> On Fri, May 1, 2009 at 4:55 PM, Justin Lintz <jlintz@...> wrote:
>>> I too am running into this same issue on centos 5.3. Here is the
>>> revelant information from my pam setup
>>>
>>> auth required pam_env.so
>>> auth required pam_listfile.so onerr=fail item=group
>>> sense=allow file=/etc/ldapgroups
>>> auth sufficient pam_unix.so nullok try_first_pass
>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>> auth sufficient pam_ldap.so use_first_pass
>>> auth required pam_deny.so
>>>
>>> account required pam_unix.so broken_shadow
>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>> account required pam_permit.so
>>>
>>> password requisite pam_cracklib.so try_first_pass retry=3
>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password sufficient pam_ldap.so use_authtok
>>> password required pam_deny.so
>>>
>>> session optional pam_keyinit.so revoke
>>> session required pam_limits.so
>>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session required pam_unix.so
>>> session optional pam_ldap.so
>>>
>>> - Justin Lintz
>>>
>>>
>>>
>>> On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
>>> <raymond.j.stricklin@...> wrote:
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Howard Chu [mailto:hyc@...]
>>>>> > what can I do to allow locally defined users to log in while LDAP is
>>>>
>>>>> > unavailable?
>>>>>
>>>>> Sounds like you just need to tweak the success config in
>>>>> pam.conf - I use "sufficient" and it just falls back to
>>>>> pam_unix if pam_ldap fails.
>>>>
>>>> Here are the relevant parts of my pam config:
>>>>
>>>> account required pam_ldap.so ignore_unknown_user
>>>> ignore_authinfo_unavail
>>>> account required pam_unix2.so
>>>>
>>>> auth required pam_env.so
>>>> auth sufficient pam_unix2.so
>>>> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
>>>> auth required pam_deny.so
>>>>
>>>> password required pam_pwcheck.so nullok
>>>> password required pam_ldap.so try_first_pass ignore_unknown_user
>>>> ignore_authinfo_unavail
>>>> password required pam_unix2.so nullok use_authtok
>>>>
>>>> session required pam_limits.so
>>>> session optional pam_ldap.so ignore_authinfo_unavail
>>>> session required pam_unix2.so
>>>>
>>>>
>>>> The 'ignore_authinfo_unavail' options were all added today. It works the
>>>> same in this situation with or without.
>>>>
>>>> I wonder if it's failing in 'account'. It seems like I had to have it
>>>> the way I have it, to make something important work correctly. I may
>>>> have to dig back through my notes. I think it may have been related to
>>>> LDAP password policy enforcement.
>>>>
>>>> ok
>>>> r.
>>>>
>>>
>>
>
the problem still exists.
- Justin Lintz
On Fri, May 1, 2009 at 10:16 PM, Weston Rogers <wrogers@...> wrote:
> You don't have to do anything with pam to get failover to /etc/passwd
> if you have an LDAP outage, just use proper ordering of
> /etc/nsswitch.conf
>
> Wes
>
> On Fri, May 1, 2009 at 16:57, Justin Lintz <jlintz@...> wrote:
>> Some more information,
>>
>> It appears it's never timing out when trying to connect to the ldap
>> server and falling back to local users. It just keeps trying even
>> though I have set a 15 second timeout on the bind connection to ldap
>>
>>
>> - Justin Lintz
>>
>>
>>
>> On Fri, May 1, 2009 at 4:55 PM, Justin Lintz <jlintz@...> wrote:
>>> I too am running into this same issue on centos 5.3. Here is the
>>> revelant information from my pam setup
>>>
>>> auth required pam_env.so
>>> auth required pam_listfile.so onerr=fail item=group
>>> sense=allow file=/etc/ldapgroups
>>> auth sufficient pam_unix.so nullok try_first_pass
>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>> auth sufficient pam_ldap.so use_first_pass
>>> auth required pam_deny.so
>>>
>>> account required pam_unix.so broken_shadow
>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>> account required pam_permit.so
>>>
>>> password requisite pam_cracklib.so try_first_pass retry=3
>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password sufficient pam_ldap.so use_authtok
>>> password required pam_deny.so
>>>
>>> session optional pam_keyinit.so revoke
>>> session required pam_limits.so
>>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session required pam_unix.so
>>> session optional pam_ldap.so
>>>
>>> - Justin Lintz
>>>
>>>
>>>
>>> On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
>>> <raymond.j.stricklin@...> wrote:
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Howard Chu [mailto:hyc@...]
>>>>> > what can I do to allow locally defined users to log in while LDAP is
>>>>
>>>>> > unavailable?
>>>>>
>>>>> Sounds like you just need to tweak the success config in
>>>>> pam.conf - I use "sufficient" and it just falls back to
>>>>> pam_unix if pam_ldap fails.
>>>>
>>>> Here are the relevant parts of my pam config:
>>>>
>>>> account required pam_ldap.so ignore_unknown_user
>>>> ignore_authinfo_unavail
>>>> account required pam_unix2.so
>>>>
>>>> auth required pam_env.so
>>>> auth sufficient pam_unix2.so
>>>> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
>>>> auth required pam_deny.so
>>>>
>>>> password required pam_pwcheck.so nullok
>>>> password required pam_ldap.so try_first_pass ignore_unknown_user
>>>> ignore_authinfo_unavail
>>>> password required pam_unix2.so nullok use_authtok
>>>>
>>>> session required pam_limits.so
>>>> session optional pam_ldap.so ignore_authinfo_unavail
>>>> session required pam_unix2.so
>>>>
>>>>
>>>> The 'ignore_authinfo_unavail' options were all added today. It works the
>>>> same in this situation with or without.
>>>>
>>>> I wonder if it's failing in 'account'. It seems like I had to have it
>>>> the way I have it, to make something important work correctly. I may
>>>> have to dig back through my notes. I think it may have been related to
>>>> LDAP password policy enforcement.
>>>>
>>>> ok
>>>> r.
>>>>
>>>
>>
>
« Return to Thread: allowing local accounts when LDAP is unavailable?
| Free embeddable forum powered by Nabble | Forum Help |
