Re: Re: problems with nslcd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Re: problems with nslcd
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Patrick Hornecker <phornecker [at] googlemail.com>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Re: problems with nslcd
- Date: Sat, 26 Mar 2011 15:52:06 +0100
On Sat, 2011-01-29 at 16:07 -0800, Patrick Hornecker wrote:
> I'll post you all pam config files which we have altered.
>
> common-account:
> account sufficient pam_ldap.so
> account required pam_unix.so
>
> common-auth:
> auth sufficient pam_ldap.so
> auth required pam_unix.so nullok_secure use_first_pass
>
> common-password:
> password sufficient pam_ldap.so
> password required pam_unix.so nullok obscure min=4 max=8 md5
>
> common-session:
> session required pam_unix.so
> session optional pam_ldap.so
Sorry to not reply sooner. The problem with this stack is that for
common-account pam_unix is skipped if pam_ldap thinks it's OK.
You could work with something like this:
account [success=ok ignore=ignore user_unknown=ignore authinfo_unavail=ignore
default=bad] pam_unix.so
account [success=ok ignore=ignore user_unknown=ignore authinfo_unavail=ignore
default=bad] pam_ldap.so
Btw, I would recommend passing minimum_uid=1000 to pam_ldap if
reasonable for your configuration and would personally try pam_unix
before pam_ldap to avoid network delays for local account logins (think
network down and you want to login as root de examine the situation).
Since shadow information is provided in your config pam_unix should
always be OK and you could also do:
account required pam_unix.so
account [success=ok ignore=ignore user_unknown=ignore authinfo_unavail=ignore
default=bad] pam_ldap.so
Hope this helps.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
- Re: problems with nslcd, (continued)
