Re: PAM_Unix, PAM_LDAP

To: debian-devel@lists.debian.org
Subject: Re: PAM_Unix, PAM_LDAP
From: Brian May <bam@snoopy.apana.org.au>
Date: Sun, 28 Jul 2002 14:37:17 +1000
Message-id: <[🔎] 20020728043717.GE7217@snoopy.apana.org.au>
Mail-followup-to: Brian May <bam@snoopy.apana.org.au>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20020728043009.GB3651@leathercollection.ph>
References: <[🔎] 20020728020256.GJ4239@snoopy.apana.org.au> <[🔎] 20020728043009.GB3651@leathercollection.ph>

On Sun, Jul 28, 2002 at 12:30:09PM +0800, Federico Sevilla III wrote:
> I do not know if this will work in your situation, but I'm wondering if
> using the recommended configuration, which seems to do the reverse --
> authenticate via pam_ldap first and then if that fails use pam_unix --
> will work for you.

That means if the LDAP server goes down for any reason, it will be
impossible to log in (even as root) until the LDAP query times out.

Eg. a broken firewall policy that drops all packets could do this, and
its very easy to accidently break a firewall like this (just flush the
INPUT table when the default policy is DROP...). This will break even if
contacting LDAP via localhost.
-- 
Brian May <bam@snoopy.apana.org.au>


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: PAM_Unix, PAM_LDAP
  - From: "Jeremy T. Bouse" <jbouse@debian.org>
- Re: PAM_Unix, PAM_LDAP
  - From: Russell Coker <russell@coker.com.au>

References:
- PAM_Unix, PAM_LDAP
  - From: Brian May <bam@snoopy.apana.org.au>
- Re: PAM_Unix, PAM_LDAP
  - From: Federico Sevilla III <jijo@free.net.ph>

Prev by Date: Re: PAM_Unix, PAM_LDAP
Next by Date: Re: interfaces, mapping, etc
Previous by thread: Re: PAM_Unix, PAM_LDAP
Next by thread: Re: PAM_Unix, PAM_LDAP
Index(es):
- Date
- Thread