RE: [pamldap] if ldap server is down - no ssh prompt or local logins work

Use pam_succeed_if to limit what accounts are checked via LDAP

-----
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [ default=ok user_unknown=ignore service_err=ignore
system_err=ignore ] /lib/security/$ISA/pam_ldap.so



Note:  for some earlier versions of PAM, the only solution that I am
aware of to login as root, you must restart in single user mode.  I do
not recall in what version this was changed


Mike



> -----Original Message-----
> From: owner-pamldap@xxxxxxxx [mailto:owner-pamldap@xxxxxxxx] On Behalf
Of
> Daniel Cabral
> Sent: Sunday, March 05, 2006 9:46 PM
> To: Prakash Velayutham
> Cc: Tom Hodder; pamldap@xxxxxxxx; nssldap@xxxxxxxx
> Subject: Re: [pamldap] if ldap server is down - no ssh prompt or local
> logins work
> 
> Me too! Anybody can help us!? hahaha
> 
> []'s!
> 
> On 2/13/06, Prakash Velayutham <prakash.velayutham@xxxxxxxxx> wrote:
> > Tom Hodder wrote:
> > > Hi,
> > >
> > > Apologies for the cross post to both pamldap and nssldap, I was
not
> > > sure which was more appropriate.
> > >
> > > I was wondering whether anyone has a configuration for pam_ldap
and
> > > nsswitch.conf for which local users and root can login if the ldap
> > > server is inaccessible.
> > >
> > > I would have thought that the line in system-auth "auth
> > > sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok"
would
> > > allow a local user to login, even if the ldap server was
inaccessible.
> > >
> > > (Also should I have "auth        sufficient
> > > /lib/security/$ISA/pam_localuser.so debug" above the pam_ldap
line?)
> > >
> > > Currently if ldap is down, ssh login hangs, and "su - " returns
> > > "Password:
> > > su: incorrect password"
> > > for the root password, though it is local and correct.
> > >
> > > Thanks,
> > >
> > > Tom
> > >
> > > I have nsswitch.conf with;
> > >
> > > passwd:     files ldap
> > > shadow:     files ldap
> > > group:      files ldap
> > >
> > > and pam.d/system-auth with;
> > >
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth        required      /lib/security/$ISA/pam_env.so
> > > auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
> nullok
> > > auth        sufficient      /lib/security/$ISA/pam_ldap.so
> use_first_pass
> > > auth        sufficient    /lib/security/$ISA/pam_wheel.so
> > > group=level1test
> > > auth        sufficient    /lib/security/$ISA/pam_localuser.so
debug
> > > auth        required      /lib/security/$ISA/pam_deny.so
> > >
> > > account     required      /lib/security/$ISA/pam_unix.so
> > > account     [default=bad success=ok user_unknown=ignore
> > > service_err=ignore system_err=ignore]
/lib/security/$ISA/pam_ldap.so
> > >
> > > password    required      /lib/security/$ISA/pam_cracklib.so
retry=3
> > > type=
> > > password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> > > use_authtok md5 shadow
> > > password    sufficient    /lib/security/$ISA/pam_ldap.so
> > > use_first_pass debug
> > > password    required      /lib/security/$ISA/pam_deny.so
> > >
> > > session     required      /lib/security/$ISA/pam_mkhomedir.so
> > > skel=/etc/skel/ umask=0022
> > > session     required      /lib/security/$ISA/pam_limits.so
> > > session     required      /lib/security/$ISA/pam_unix.so
> > Hi Tom,
> >
> > Just FYI. I notice the same issues with my systems too.
> >
> > Thanks,
> > Prakash
> >