Feedback, removed the extended schema option and every thing worked fine. Now I have made two change as per authconfig - /etc/nsswitch and /etc/pam.d/system-auth
my nsswitch looks like passwd: ldap files nisplus shadow: ldap files nisplus group: ldap files nisplus and /etc/pam.d/system-auth looks like auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account required /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so Now by reckoning, authentication with check ldap first (via nsswitch.conf) and if failing that move on to files and then nisplus. So if an account is not in the ldap DB but in the local /etc/passwd files it will use this account. Now for pam authentication, I am presuming a similar result, except that the local information (/etc/passwd)is tried first, because of the line auth sufficient /lib/security/pam_unix.so likeauth nullok My only problem now, if the above is true, is that if the LDAP server is done, I can not login because the module doesn't exit gracefully, is there a way for it to be configured to do that. So that even if the account is in the local DB files and ldap is down I can not authenticate! Now presuming my first 2 points are correct, should I/is it best practise, to remove all user account from the local DB, apart from root and store the rest in the ldap DB. Should this include things like userid's used for deamons or other services ? A -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alex Samad Sent: Sunday, 28 April 2002 11:47 AM To: [EMAIL PROTECTED] Subject: [SLUG] LDAP Q Hi, I am taking the LDAP route as well. I have looked over the archives and have found some valuable information. My set-up is RH7.2 mixed in with some rawhide. I am trying to use the migration tools provided with openldap and running into the same problem as faced before with the schema not being set out. Somebody mentioned that debian has it. I have turned off schema checking, but I would like the schema that I am missing, seem like the easier solution. Can somebody with debian please send me the schema file. Thanxs Alex -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
