Re: Re: problems with nslcd

[Patrick Hornecker <phornecker [at] googlemail.com>]

Hi,

sorry that i couldn't answer the last mail earlier. I've tried the changes you did send me and now it does work as it is supposed to and I just wanted to let you know that!

Thank you for your help!

Regards

Patrick

2011/3/26 Arthur de Jong <arthur [at] arthurdejong.org>

On Sat, 2011-01-29 at 16:07 -0800, Patrick Hornecker wrote:
> I'll post you all pam config files which we have altered.
>
> common-account:
> account sufficient      pam_ldap.so
> account required        pam_unix.so
>
> common-auth:
> auth    sufficient      pam_ldap.so
> auth    required        pam_unix.so nullok_secure use_first_pass
>
> common-password:
> password   sufficient pam_ldap.so
> password   required   pam_unix.so nullok obscure min=4 max=8 md5
>
> common-session:
> session required        pam_unix.so
> session optional        pam_ldap.so

Sorry to not reply sooner. The problem with this stack is that for
common-account pam_unix is skipped if pam_ldap thinks it's OK.

You could work with something like this:

account [success=ok ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_unix.so
account [success=ok ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so

Btw, I would recommend passing minimum_uid=1000 to pam_ldap if
reasonable for your configuration and would personally try pam_unix
before pam_ldap to avoid network delays for local account logins (think
network down and you want to login as root de examine the situation).

Since shadow information is provided in your config pam_unix should
always be OK and you could also do:

account required pam_unix.so

account [success=ok ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so

Hope this helps.

--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users