[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP authentication with PAM

>>>>> "Brian" == Brian May <bam@debian.org> writes:

    Brian> Apr 13 19:13:30 snoopy PAM_unix[17434]: auth could not
    Brian> identify password for [root] Apr 13 19:13:30 snoopy
    Brian> login[17434]: pam_ldap: ldap_simple_bind Can't contact LDAP
    Brian> server

    Brian> and

    Brian> Apr 13 19:14:02 snoopy login[17474]: Error in service
    Brian> module

Stupid me. I had:

[auth stuff removed]

session    sufficient pam_unix.so
account    required   pam_ldap.so

session    sufficient pam_unix.so
session    required   pam_ldap.so

session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv

[password stuff removed]

when of course, the first session should read "account". One more
problem solved. One to go (making TLS work).

However, I note two issues in the above config:

1. pam_lastlog, pam_motd, pam_mail, etc do not appear to get used if
pam_unix is used. I think this is because pam_ldap fails, and further
processing is stopped.

2. pam_unix always seems to be used though as account information can
be found via NSS. So pam_ldap probably is never tried, at least for
the session, account and password management.

So I might:

1. put the other session stuff first, so it will always get invoked, even
if the required item fails.

2. make pam_ldap first, to ensure it is used instead of UNIX when available.

Brian May <bam@debian.org>

Reply to: