[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: central authentication with LDAP

On Mon, Jan 28, 2002 at 11:10:09PM +1100, Russell Coker wrote:
> On Mon, 28 Jan 2002 21:31, Florian Bantner wrote:
[snip]
> > auth       sufficient pam_rootok.so
> > auth       sufficient   pam_ldap.so
> > auth       required   pam_unix.so use_first_pass
> > account    sufficient   pam_ldap.so
> > account    required   pam_unix.so
> > session    required   pam_unix.so
> 
> I suggest putting pam_unix first and pam_ldap later in the
> list.  If you do otherwise then an LDAP problem can make it
> impossible to login which is a real bitch.  I once had that
> happen to servers at a secure hosting facility, that was a
> real PITA.
[snip]

I haven't looked at the PAM docs enough or bothered testing
this, but I think what Florian has above should be fine.

pam_ldap.so is "sufficient" so that if LDAP is working and he
types in the right user/pass combination, it should let him in.

If LDAP is not working, it should fall through to pam_unix.so
and also use the password he already typed in for pam_ldap.so.

-- 
Michael Wood <mwood@its.uct.ac.za>
Reply to: