Re: authentication puzzle
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: authentication puzzle
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: authentication puzzle
- Date: Tue, 11 Mar 2014 21:46:36 +0100
On Tue, 2014-03-11 at 09:39 -0700, Eneida Lima wrote:
> Here is the info :
[...]
> 2. /etc/pam.d/system-auth-ac
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_ldap.so try_first_pass
> auth sufficient pam_unix.so nullok use_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth required pam_deny.so
It is pretty weird to put pam_ldap before pam_unix because this will
delay logins unnecessarily when the LDAP server is unavailable (e.g. in
emergencies).
Is this the default PAM stack?
Adding debug at the end of the pam_unix and pam_ldap lines should
provide more debugging information (through syslog).
> 3. Output from 'nslcd -d' for an unsuccessful login:
> nslcd: version 0.7.5 starting
0.7.5 is pretty old but nss-pam-ldapd-0.7.5-18.2.el6_4 from Red Hat
should contain many of the backported fixes.
However, if I understand correctly, the PAM module of nss-pam-ldapd is
not used in the Red Hat packaging so you have to check the configuration
file for PADL's pam_ldap module (not sure what that is on Red Hat).
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
