tags 617452 + pending thanks On Tue, 2011-03-08 at 17:57 -0800, Chris Hiestand wrote: > It's a little confusing at the moment why local users are prompted for > an LDAP password if you have specified ignore_unknown_user within your > passwd PAM configuration: > > password sufficient pam_ldap.so debug ignore_unknown_user use_authtok > password required pam_unix.so sha512 obscure min=8 use_authtok > > You are still prompted for an ldap password: > localuser@hostname:/tmp$ passwd > (current) LDAP Password:
The problem is that the PAM module first tries to gather all data before going to nslcd. In the development branch I've implemented an extra test to see whether we're dealing with and LDAP password before doing anything. Anyway, for your environment I would suggest you try the minimum_uid option. If your local users have lower numeric uids than your LDAP ones that will save you some time and it will also prevent most LDAP lookups when logging in as root when the LDAP server is unavailable. Also, the Debian default PAM stack in squeeze is: password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass password requisite pam_deny.so password required pam_permit.so which does not prompt local users for LDAP passwords on password change. -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part

