Also much documentation on the internet is plain wrong and untested.
For example people will say this is ok:
#%PAM-1.0
auth sufficient pam_ldap.so
auth include system-auth
account required pam_nologin.so
account sufficient pam_ldap.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so
Its not:
#%PAM-1.0
auth sufficient pam_ldap.so
auth include system-auth
account required pam_nologin.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore authinfo_unavail=ignore]
pam_ldap.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so
On Wed, Feb 3, 2010 at 5:38 PM, Tom Lanyon <tom(a)netspot.com.au> wrote:
On 04/02/2010, at 7:29 AM, Sean Carolan wrote:
> If I stop the LDAP server though, I'm unable to log onto this server
> with my ssh key or password. Is there a way to keep shadow passwords
> as a failover method for logging in if the LDAP server is down?
What is listed in your /etc/nsswitch.conf for passwd, shadow and group?
If you do not have an entry for 'files' then the local /etc/{passwd,shadow,group}
files will not be searched.
Hope this helps.
Tom
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users