|
»
»
« Return to Thread: allowing local accounts when LDAP is unavailable?
Re: allowing local accounts when LDAP is unavailable?
by wrogers
::
Rate this Message:
You need to set it to ldap first, then files.
Wes
On Sat, May 2, 2009 at 21:01, Justin Lintz <jlintz@...> wrote:
> nssswitch.conf is set to files ldap, for passwd, shadow and group, yet
> the problem still exists.
> - Justin Lintz
>
>
>
> On Fri, May 1, 2009 at 10:16 PM, Weston Rogers <wrogers@...> wrote:
>> You don't have to do anything with pam to get failover to /etc/passwd
>> if you have an LDAP outage, just use proper ordering of
>> /etc/nsswitch.conf
>>
>> Wes
>>
>> On Fri, May 1, 2009 at 16:57, Justin Lintz <jlintz@...> wrote:
>>> Some more information,
>>>
>>> It appears it's never timing out when trying to connect to the ldap
>>> server and falling back to local users. It just keeps trying even
>>> though I have set a 15 second timeout on the bind connection to ldap
>>>
>>>
>>> - Justin Lintz
>>>
>>>
>>>
>>> On Fri, May 1, 2009 at 4:55 PM, Justin Lintz <jlintz@...> wrote:
>>>> I too am running into this same issue on centos 5.3. Here is the
>>>> revelant information from my pam setup
>>>>
>>>> auth required pam_env.so
>>>> auth required pam_listfile.so onerr=fail item=group
>>>> sense=allow file=/etc/ldapgroups
>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>> auth sufficient pam_ldap.so use_first_pass
>>>> auth required pam_deny.so
>>>>
>>>> account required pam_unix.so broken_shadow
>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>> account required pam_permit.so
>>>>
>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>> use_authtok
>>>> password sufficient pam_ldap.so use_authtok
>>>> password required pam_deny.so
>>>>
>>>> session optional pam_keyinit.so revoke
>>>> session required pam_limits.so
>>>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>> crond quiet use_uid
>>>> session required pam_unix.so
>>>> session optional pam_ldap.so
>>>>
>>>> - Justin Lintz
>>>>
>>>>
>>>>
>>>> On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
>>>> <raymond.j.stricklin@...> wrote:
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Howard Chu [mailto:hyc@...]
>>>>>> > what can I do to allow locally defined users to log in while LDAP is
>>>>>
>>>>>> > unavailable?
>>>>>>
>>>>>> Sounds like you just need to tweak the success config in
>>>>>> pam.conf - I use "sufficient" and it just falls back to
>>>>>> pam_unix if pam_ldap fails.
>>>>>
>>>>> Here are the relevant parts of my pam config:
>>>>>
>>>>> account required pam_ldap.so ignore_unknown_user
>>>>> ignore_authinfo_unavail
>>>>> account required pam_unix2.so
>>>>>
>>>>> auth required pam_env.so
>>>>> auth sufficient pam_unix2.so
>>>>> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
>>>>> auth required pam_deny.so
>>>>>
>>>>> password required pam_pwcheck.so nullok
>>>>> password required pam_ldap.so try_first_pass ignore_unknown_user
>>>>> ignore_authinfo_unavail
>>>>> password required pam_unix2.so nullok use_authtok
>>>>>
>>>>> session required pam_limits.so
>>>>> session optional pam_ldap.so ignore_authinfo_unavail
>>>>> session required pam_unix2.so
>>>>>
>>>>>
>>>>> The 'ignore_authinfo_unavail' options were all added today. It works the
>>>>> same in this situation with or without.
>>>>>
>>>>> I wonder if it's failing in 'account'. It seems like I had to have it
>>>>> the way I have it, to make something important work correctly. I may
>>>>> have to dig back through my notes. I think it may have been related to
>>>>> LDAP password policy enforcement.
>>>>>
>>>>> ok
>>>>> r.
>>>>>
>>>>
>>>
>>
>
Wes
On Sat, May 2, 2009 at 21:01, Justin Lintz <jlintz@...> wrote:
> nssswitch.conf is set to files ldap, for passwd, shadow and group, yet
> the problem still exists.
> - Justin Lintz
>
>
>
> On Fri, May 1, 2009 at 10:16 PM, Weston Rogers <wrogers@...> wrote:
>> You don't have to do anything with pam to get failover to /etc/passwd
>> if you have an LDAP outage, just use proper ordering of
>> /etc/nsswitch.conf
>>
>> Wes
>>
>> On Fri, May 1, 2009 at 16:57, Justin Lintz <jlintz@...> wrote:
>>> Some more information,
>>>
>>> It appears it's never timing out when trying to connect to the ldap
>>> server and falling back to local users. It just keeps trying even
>>> though I have set a 15 second timeout on the bind connection to ldap
>>>
>>>
>>> - Justin Lintz
>>>
>>>
>>>
>>> On Fri, May 1, 2009 at 4:55 PM, Justin Lintz <jlintz@...> wrote:
>>>> I too am running into this same issue on centos 5.3. Here is the
>>>> revelant information from my pam setup
>>>>
>>>> auth required pam_env.so
>>>> auth required pam_listfile.so onerr=fail item=group
>>>> sense=allow file=/etc/ldapgroups
>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>> auth sufficient pam_ldap.so use_first_pass
>>>> auth required pam_deny.so
>>>>
>>>> account required pam_unix.so broken_shadow
>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>> account required pam_permit.so
>>>>
>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>> use_authtok
>>>> password sufficient pam_ldap.so use_authtok
>>>> password required pam_deny.so
>>>>
>>>> session optional pam_keyinit.so revoke
>>>> session required pam_limits.so
>>>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>> crond quiet use_uid
>>>> session required pam_unix.so
>>>> session optional pam_ldap.so
>>>>
>>>> - Justin Lintz
>>>>
>>>>
>>>>
>>>> On Thu, Apr 30, 2009 at 7:21 PM, Stricklin, Raymond J
>>>> <raymond.j.stricklin@...> wrote:
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Howard Chu [mailto:hyc@...]
>>>>>> > what can I do to allow locally defined users to log in while LDAP is
>>>>>
>>>>>> > unavailable?
>>>>>>
>>>>>> Sounds like you just need to tweak the success config in
>>>>>> pam.conf - I use "sufficient" and it just falls back to
>>>>>> pam_unix if pam_ldap fails.
>>>>>
>>>>> Here are the relevant parts of my pam config:
>>>>>
>>>>> account required pam_ldap.so ignore_unknown_user
>>>>> ignore_authinfo_unavail
>>>>> account required pam_unix2.so
>>>>>
>>>>> auth required pam_env.so
>>>>> auth sufficient pam_unix2.so
>>>>> auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
>>>>> auth required pam_deny.so
>>>>>
>>>>> password required pam_pwcheck.so nullok
>>>>> password required pam_ldap.so try_first_pass ignore_unknown_user
>>>>> ignore_authinfo_unavail
>>>>> password required pam_unix2.so nullok use_authtok
>>>>>
>>>>> session required pam_limits.so
>>>>> session optional pam_ldap.so ignore_authinfo_unavail
>>>>> session required pam_unix2.so
>>>>>
>>>>>
>>>>> The 'ignore_authinfo_unavail' options were all added today. It works the
>>>>> same in this situation with or without.
>>>>>
>>>>> I wonder if it's failing in 'account'. It seems like I had to have it
>>>>> the way I have it, to make something important work correctly. I may
>>>>> have to dig back through my notes. I think it may have been related to
>>>>> LDAP password policy enforcement.
>>>>>
>>>>> ok
>>>>> r.
>>>>>
>>>>
>>>
>>
>
« Return to Thread: allowing local accounts when LDAP is unavailable?
| Free embeddable forum powered by Nabble | Forum Help |
