Gerhard Schmidt wrote: > I'm setting up a new FreeBSD Server for out local Computer club. Most of > the users are stored in LDAP and I've installed nss_ldap and pam_ldap > and set up both. Everything works so far with nsswitch.conf > entry passwd: ldap files. > > When I try passwd: files ldap the login doesn't work anymore because the > LDAP_Server is never asked.
The act of logging in is managed by /etc/pam.d/*, not /etc/nsswitch.conf. If `ls -l` works, you've got NSS configured correctly. > I tried this to optimize the LDAP requests as the service users are in > the local files. This would speed up the boot process and takes some > load off the LDAP-Server. > > Is there a way to configure FreeBSD to look first in the local files and > if a user isn't found in the LDAP-Server. This is my /etc/nsswitch.conf: | group: files ldap | hosts: files dns | networks: files | passwd: files ldap | shells: files And /etc/pam.d/system: auth sufficient pam_unix.so no_warn auth required /usr/local/lib/pam_ldap.so no_warn use_first_pass My guess is you used required for both modules, which would require authentication to succeed against both user databases. > And another question. Is there a way to use two different LDAP-Servers > e.g. by calling nss_ldap with different config files. What's your goal? We have two different LDAP providers with different subtrees that get "glued" together by a DNS round-robin of LDAP consumers. This round-robin provides a single, unified view of our directory to all our LDAP clients. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley
Description: PGP signature