LDAP question

Jordan Curzon curzonj at gmail.com
Thu Jul 31 18:25:27 MDT 2008


Here is the authority on configuring pam:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html

On Thu, Jul 31, 2008 at 4:04 PM, Mike Lovell <mike at dev-zero.net> wrote:
> Frank Sorenson wrote:
>>
>> Mike Lovell wrote:
>>>
>>> I am trying to get an LDAP working for an environment that I have.
>>> Currently, the LDAP is working an I can authenticate the LDAP and everything
>>> is working fine. The one complaint I have is that one user or group lookup
>>> where the local account information is sufficient, there is still an query
>>> going again LDAP. Does anyone know if it is possible to configure things so
>>> that if there is a result found in /etc/passwd and /etc/group to then not do
>>> a query against the LDAP? I am wanting to deploy this in an environment that
>>> is doing a ton of file operations as a particular user that is already on
>>> the local machines and I don't want queries hitting the LDAP all of the time
>>> and killing it. I know nscd will cache the info but I am wanting to not hit
>>> the LDAP for that user at all. Here is what I have in my nsswitch.conf.
>>
>> The nsswitch.conf looks fine.  I'd look into the ordering of the pam
>> stack.  Check for references to pam_ldap.so in the /etc/pam.d/system-auth or
>> service-specific configuration, and make sure that the ordering there only
>> goes to ldap if it's not found locally.  For example:
>>
>> |auth sufficient pam_unix.so
>> auth sufficient pam_ldap.so use_first_pass
>> auth required pam_deny.so|
>>
>> and
>>
>> |account sufficient pam_unix.so
>> account sufficient pam_ldap.so
>> account required pam_deny.so|
>>
>>
>> Frank
>>
> I think I have it working now. Putting the pam_ldap.so lines below the
> pam_unix.so lines was what I tried first and that resulted in queries
> happening against the ldap. After I changed the pam_unix.so lines to be
> sufficient for pam_unix.so instead of required, it started working the way i
> expected. My only question is there any problem with changing the
> pam_unix.so to be sufficient instead of required? I am kind of a pam n00b.
> Thanks
>
> Mike
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list