Re: PAM_Unix, PAM_LDAP
On Sun, 28 Jul 2002 06:37, Brian May wrote:
> On Sun, Jul 28, 2002 at 12:30:09PM +0800, Federico Sevilla III wrote:
> > I do not know if this will work in your situation, but I'm wondering if
> > using the recommended configuration, which seems to do the reverse --
> > authenticate via pam_ldap first and then if that fails use pam_unix --
> > will work for you.
>
> That means if the LDAP server goes down for any reason, it will be
> impossible to log in (even as root) until the LDAP query times out.
>
> Eg. a broken firewall policy that drops all packets could do this, and
> its very easy to accidently break a firewall like this (just flush the
> INPUT table when the default policy is DROP...). This will break even if
> contacting LDAP via localhost.
Last time I had this happen to me the LDAP timeouts made the overall login
process timeout and it was simply impossible to login as root to fix things.
I had to make a special visit to a co-lo site to fix it.
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: