LDAP question

Mike Lovell mike at dev-zero.net
Thu Jul 31 16:04:14 MDT 2008


Frank Sorenson wrote:
> Mike Lovell wrote:
>> I am trying to get an LDAP working for an environment that I have. 
>> Currently, the LDAP is working an I can authenticate the LDAP and 
>> everything is working fine. The one complaint I have is that one user 
>> or group lookup where the local account information is sufficient, 
>> there is still an query going again LDAP. Does anyone know if it is 
>> possible to configure things so that if there is a result found in 
>> /etc/passwd and /etc/group to then not do a query against the LDAP? I 
>> am wanting to deploy this in an environment that is doing a ton of 
>> file operations as a particular user that is already on the local 
>> machines and I don't want queries hitting the LDAP all of the time 
>> and killing it. I know nscd will cache the info but I am wanting to 
>> not hit the LDAP for that user at all. Here is what I have in my 
>> nsswitch.conf.
> The nsswitch.conf looks fine.  I'd look into the ordering of the pam 
> stack.  Check for references to pam_ldap.so in the 
> /etc/pam.d/system-auth or service-specific configuration, and make 
> sure that the ordering there only goes to ldap if it's not found 
> locally.  For example:
>
> |auth sufficient pam_unix.so
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so|
>
> and
>
> |account sufficient pam_unix.so
> account sufficient pam_ldap.so
> account required pam_deny.so|
>
>
> Frank
>
I think I have it working now. Putting the pam_ldap.so lines below the 
pam_unix.so lines was what I tried first and that resulted in queries 
happening against the ldap. After I changed the pam_unix.so lines to be 
sufficient for pam_unix.so instead of required, it started working the 
way i expected. My only question is there any problem with changing the 
pam_unix.so to be sufficient instead of required? I am kind of a pam 
n00b. Thanks

Mike



More information about the PLUG mailing list