Here is the authority on configuring pam: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html
On Thu, Jul 31, 2008 at 4:04 PM, Mike Lovell <[EMAIL PROTECTED]> wrote: > Frank Sorenson wrote: >> >> Mike Lovell wrote: >>> >>> I am trying to get an LDAP working for an environment that I have. >>> Currently, the LDAP is working an I can authenticate the LDAP and everything >>> is working fine. The one complaint I have is that one user or group lookup >>> where the local account information is sufficient, there is still an query >>> going again LDAP. Does anyone know if it is possible to configure things so >>> that if there is a result found in /etc/passwd and /etc/group to then not do >>> a query against the LDAP? I am wanting to deploy this in an environment that >>> is doing a ton of file operations as a particular user that is already on >>> the local machines and I don't want queries hitting the LDAP all of the time >>> and killing it. I know nscd will cache the info but I am wanting to not hit >>> the LDAP for that user at all. Here is what I have in my nsswitch.conf. >> >> The nsswitch.conf looks fine. I'd look into the ordering of the pam >> stack. Check for references to pam_ldap.so in the /etc/pam.d/system-auth or >> service-specific configuration, and make sure that the ordering there only >> goes to ldap if it's not found locally. For example: >> >> |auth sufficient pam_unix.so >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so| >> >> and >> >> |account sufficient pam_unix.so >> account sufficient pam_ldap.so >> account required pam_deny.so| >> >> >> Frank >> > I think I have it working now. Putting the pam_ldap.so lines below the > pam_unix.so lines was what I tried first and that resulted in queries > happening against the ldap. After I changed the pam_unix.so lines to be > sufficient for pam_unix.so instead of required, it started working the way i > expected. My only question is there any problem with changing the > pam_unix.so to be sufficient instead of required? I am kind of a pam n00b. > Thanks > > Mike > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
