Hi all, I configured nss & pam in order to make LDAP authentication. In order to have a proper authentication and attributes retrieving I added also ccreds and nss_updatedb modifying /etc/pam.d/system-auth for the first and /etc/nsswithch for both:
/etc/pam.d/system-auth: auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass debug auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass auth [default=done] pam_ccreds.so action=validate use_first_pass auth [default=done] pam_ccreds.so action=store auth [default=bad] pam_ccreds.so action=update account [user_unknown=ignore authinfo_unavail=ignore default=done] pam_unix.so debug account [user_unknown=ignore authinfo_unavail=ignore default=done] pam_ldap.so debug account required pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so session optional pam_ldap.so # /etc/nsswitch.conf: # $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $ passwd: files ldap [NOTFOUND=return] db shadow: files ldap group: files ldap [NOTFOUND=return] db #passwd: files ldap #shadow: files ldap #group: files ldap # passwd: db files nis # shadow: db files nis # group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files ldap bootparams: files automount: files ldap aliases: files sudoers: ldap files the problem is that, when the connection to the ldap server is down, I can't login: Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user unknown Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't contact LDAP server Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP server ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server - Server is unavailable Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR `UNKNOWN', User not known to the underlying authentication module from the last line above it seems like the credentials were not cached or the nss switch doesn't use the db service for the passwd and shadow database. Is there someone that has a working configuration in order to have the cached credentials systems working properly ? Regards Giampiero
