Hi all, I would like to use pam_ccreds to cache credentials for a user when the LDAP server is not available (using a laptop for example).
I have installed pam_ccreds, nss_updatedb and nss-db, And run "nss_updatedb ldap" So the system has passwd and group info locally in /var/db/passwd.db and /var/db/group.db. I have checked that they really contain all records from the LDAP when disconnected. When connected, the LDAP authentication works fine, however the user cannot login when disconnected. I noticed that pam_ccreds does not cache the credentials locally. I checked this with cc_dump. Did anyone come across this problem? How can I do more debug on this? Below is how I've configured the laptop: /etc/nsswitch.conf passwd: files ldap [NOTFOUND=return] db shadow: files ldap group: files ldap [NOTFOUND=return] db /etc/pam.d/system-auth auth required pam_env.so auth [user_unknown=ignore default=done] pam_unix.so likeauth nullok shadow try_first_pass auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so try_first_pass auth [default=done] pam_ccreds.so action=validate use_first_pass auth [default=done] pam_ccreds.so action=store auth [default=bad] pam_ccreds.so action=update auth required pam_deny.so account [user_unknown=ignore default=done] pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 100 account [authinfo_unavail=ignore default=done] pam_ldap.so account [default=done] pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok try_first_pass password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0066 session optional pam_ldap.so Regards, Stephane
signature.asc
Description: OpenPGP digital signature
