pam_ldap.so before pam_unix.so? Is it ever possible?

Posted by user1075993 on Server Fault See other posts from Server Fault or by user1075993
Published on 2012-12-03T17:00:14Z Indexed on 2012/12/03 17:05 UTC
Read the original article Hit count: 204

Filed under:
|
|

we have a couple of servers with PAM+LDAP.

The configuration is standard (see http://arthurdejong.org/nss-pam-ldapd/setup or http://wiki.debian.org/LDAP/PAM). For example, /etc/pam.d/common-auth contains:

auth sufficient pam_unix.so nullok_secure
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth requiered pam_deny.so

And, of course, it works for both ldap and local users. But every login goes first to pam_unix.so, fails, and only then tries pam_ldap.so successfully. As a result, we have a well-known failure message for every single ldap user login:

pam_unix(<some_service>:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<some_host>  user=<some_user>

I have up to 60000 of such log messages per day and I want to change the configuration so, that PAM will try ldap authentication first, and only if it fails - try pam_unix.so (I think it can improve the i/o performance of the server). But if I change common-auth to the following:

auth sufficient pam_ldap.so use_first_pass
auth sufficient pam_unix.so nullok_secure
auth requiered pam_deny.so

Then I simply can't login anymore with local (non-ldap) user (e.g., via ssh).

Does somebody knows the right configuration? Why Debian and nss-pam-ldapd have pam_unix.so at first by default? Is there really no way to change it?

Thank you in advance.

P.S. I don't want to disable logs, but want to set ldap authentication on the first place.

© Server Fault or respective owner

Related posts about unix

Related posts about ldap