Re: LDAP authentication with PAM
>>>>> "Brian" == Brian May <bam@debian.org> writes:
Brian> Apr 13 19:13:30 snoopy PAM_unix[17434]: auth could not
Brian> identify password for [root] Apr 13 19:13:30 snoopy
Brian> login[17434]: pam_ldap: ldap_simple_bind Can't contact LDAP
Brian> server
Brian> and
Brian> Apr 13 19:14:02 snoopy login[17474]: Error in service
Brian> module
Stupid me. I had:
[auth stuff removed]
session sufficient pam_unix.so
account required pam_ldap.so
session sufficient pam_unix.so
session required pam_ldap.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
[password stuff removed]
when of course, the first session should read "account". One more
problem solved. One to go (making TLS work).
However, I note two issues in the above config:
1. pam_lastlog, pam_motd, pam_mail, etc do not appear to get used if
pam_unix is used. I think this is because pam_ldap fails, and further
processing is stopped.
2. pam_unix always seems to be used though as account information can
be found via NSS. So pam_ldap probably is never tried, at least for
the session, account and password management.
So I might:
1. put the other session stuff first, so it will always get invoked, even
if the required item fails.
2. make pam_ldap first, to ensure it is used instead of UNIX when available.
Comments?
--
Brian May <bam@debian.org>
Reply to: