Re: LDAP authentication with PAM
>>>>> "Wichert" == Wichert Akkerman <firstname.lastname@example.org> writes:
Wichert> pam_pwdb is obsolete, forget about it :)
thought so. Only ppp is owned by ppp so I deleted pppd.
>> Actually I was pushing ctrl^C trying to abort... Can't it make up its
>> mind if its updating UNIX or LDAP? (this only happens when done as
>> root with a /etc/ldap.secret file).
actually I meant "why is the LDAP prompt different when LDAP is
Wichert> That's not a bug, it's a feature. You have to tell the
Wichert> pam_ldap module to first try the password that the
Wichert> pam_unix module collected. Again, this is nicely
Wichert> documented in the PAM documentation :)
Wichert> The correct snippet would be:
Wichert> auth sufficient pam_unix.so
Wichert> auth required pam_ldap.so try_first_pass
Wichert> account sufficient pam_unix.so
Wichert> account required pam_ldap.so
Wichert> password sufficient pam_unix.so
Wichert> password required pam_ldap.so use_authtok
I tried the above config, but it does not work if I shut down the LDAP
server. I get errors like:
Apr 13 19:13:30 snoopy PAM_unix: auth could not identify password for [root]
Apr 13 19:13:30 snoopy login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Apr 13 19:14:02 snoopy login: Error in service module
which is a bit strange. "auth could not identify password?". The
password stored in /etc/shadow works fine if LDAP is running.
Things that work include:
snoopy:/etc/pam.d# /etc/init.d/slapd stop
Stopping ldap server(s): slapd.
snoopy:/etc/pam.d# id root
uid=0(root) gid=0(root) groups=0(root),201(printer)
so my nsswitch.conf seems to be OK.
Brian May <email@example.com>