[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: central authentication with LDAP

On Tue, 29 Jan 2002 02:14, Michael Wood wrote:
> On Mon, Jan 28, 2002 at 11:10:09PM +1100, Russell Coker wrote:
> > > auth       sufficient pam_rootok.so
> > > auth       sufficient   pam_ldap.so
> > > auth       required   pam_unix.so use_first_pass
> > > account    sufficient   pam_ldap.so
> > > account    required   pam_unix.so
> > > session    required   pam_unix.so
> >
> > I suggest putting pam_unix first and pam_ldap later in the
> > list.  If you do otherwise then an LDAP problem can make it
> > impossible to login which is a real bitch.  I once had that
> > happen to servers at a secure hosting facility, that was a
> > real PITA.
> [snip]
> I haven't looked at the PAM docs enough or bothered testing
> this, but I think what Florian has above should be fine.

I could have guessed that you didn't test it.

> pam_ldap.so is "sufficient" so that if LDAP is working and he
> types in the right user/pass combination, it should let him in.


> If LDAP is not working, it should fall through to pam_unix.so
> and also use the password he already typed in for pam_ldap.so.

If LDAP cleanly doesn't work, IE if it rejects the user-name, or if a RST 
packet is generated by the LDAP server in response to a SYN then things 
should be fine.

If the LDAP server accepts the connection and just does nothing then things 
can get bad.

But feel free to test this out on one of your networks some time, I've 
already tested it on one of mine mine and had a network of dead machines as a 

http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to: