tags 617452 + pending
thanks

On Tue, 2011-03-08 at 17:57 -0800, Chris Hiestand wrote:
> It's a little confusing at the moment why local users are prompted for
> an LDAP password if you have specified ignore_unknown_user within your
> passwd PAM configuration:
> 
>   password  sufficient  pam_ldap.so debug ignore_unknown_user use_authtok
>   password  required    pam_unix.so sha512 obscure min=8 use_authtok
> 
> You are still prompted for an ldap password:
>   localuser@hostname:/tmp$ passwd
>   (current) LDAP Password:

The problem is that the PAM module first tries to gather all data before
going to nslcd. In the development branch I've implemented an extra test
to see whether we're dealing with and LDAP password before doing
anything.

Anyway, for your environment I would suggest you try the minimum_uid
option. If your local users have lower numeric uids than your LDAP ones
that will save you some time and it will also prevent most LDAP lookups
when logging in as root when the LDAP server is unavailable.

Also, the Debian default PAM stack in squeeze is:

password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 
try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

which does not prompt local users for LDAP passwords on password change.

-- 
-- arthur - [email protected] - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to