Re: central authentication with LDAP
On Tue, 29 Jan 2002 02:14, Michael Wood wrote:
> On Mon, Jan 28, 2002 at 11:10:09PM +1100, Russell Coker wrote:
> > > auth sufficient pam_rootok.so
> > > auth sufficient pam_ldap.so
> > > auth required pam_unix.so use_first_pass
> > > account sufficient pam_ldap.so
> > > account required pam_unix.so
> > > session required pam_unix.so
> >
> > I suggest putting pam_unix first and pam_ldap later in the
> > list. If you do otherwise then an LDAP problem can make it
> > impossible to login which is a real bitch. I once had that
> > happen to servers at a secure hosting facility, that was a
> > real PITA.
>
> [snip]
>
> I haven't looked at the PAM docs enough or bothered testing
> this, but I think what Florian has above should be fine.
I could have guessed that you didn't test it.
> pam_ldap.so is "sufficient" so that if LDAP is working and he
> types in the right user/pass combination, it should let him in.
Yes.
> If LDAP is not working, it should fall through to pam_unix.so
> and also use the password he already typed in for pam_ldap.so.
If LDAP cleanly doesn't work, IE if it rejects the user-name, or if a RST
packet is generated by the LDAP server in response to a SYN then things
should be fine.
If the LDAP server accepts the connection and just does nothing then things
can get bad.
But feel free to test this out on one of your networks some time, I've
already tested it on one of mine mine and had a network of dead machines as a
result.
--
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page
Reply to: