[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP authentication with PAM

>>>>> "Wichert" == Wichert Akkerman <wichert@cistron.nl> writes:

    Wichert> pam_pwdb is obsolete, forget about it :)

thought so. Only ppp is owned by ppp so I deleted pppd.

    >> Actually I was pushing ctrl^C trying to abort... Can't it make up its
    >> mind if its updating UNIX or LDAP? (this only happens when done as
    >> root with a /etc/ldap.secret file).

actually I meant "why is the LDAP prompt different when LDAP is

    Wichert> That's not a bug, it's a feature. You have to tell the
    Wichert> pam_ldap module to first try the password that the
    Wichert> pam_unix module collected. Again, this is nicely
    Wichert> documented in the PAM documentation :)

    Wichert> The correct snippet would be:

    Wichert> auth	sufficient	pam_unix.so
    Wichert> auth	required	pam_ldap.so try_first_pass

    Wichert> account	sufficient	pam_unix.so
    Wichert> account	required	pam_ldap.so

    Wichert> password sufficient	pam_unix.so
    Wichert> password required	pam_ldap.so use_authtok

I tried the above config, but it does not work if I shut down the LDAP
server. I get errors like:

Apr 13 19:13:30 snoopy PAM_unix[17434]: auth could not identify password for [root]
Apr 13 19:13:30 snoopy login[17434]: pam_ldap: ldap_simple_bind Can't contact LDAP server


Apr 13 19:14:02 snoopy login[17474]: Error in service module

which is a bit strange. "auth could not identify password?".  The
password stored in /etc/shadow works fine if LDAP is running.

Things that work include:

snoopy:/etc/pam.d# /etc/init.d/slapd stop 
Stopping ldap server(s): slapd.
snoopy:/etc/pam.d# id root
uid=0(root) gid=0(root) groups=0(root),201(printer)

so my nsswitch.conf seems to be OK.
Brian May <bam@debian.org>

Reply to: