Re: PAM_Unix, PAM_LDAP
On Sun, Jul 28, 2002 at 12:30:09PM +0800, Federico Sevilla III wrote:
> I do not know if this will work in your situation, but I'm wondering if
> using the recommended configuration, which seems to do the reverse --
> authenticate via pam_ldap first and then if that fails use pam_unix --
> will work for you.
That means if the LDAP server goes down for any reason, it will be
impossible to log in (even as root) until the LDAP query times out.
Eg. a broken firewall policy that drops all packets could do this, and
its very easy to accidently break a firewall like this (just flush the
INPUT table when the default policy is DROP...). This will break even if
contacting LDAP via localhost.
Brian May <email@example.com>
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com