pam_ldap.so before pam_unix.so? Is it ever possible?
Posted
by
user1075993
on Server Fault
See other posts from Server Fault
or by user1075993
Published on 2012-12-03T17:00:14Z
Indexed on
2012/12/03
17:05 UTC
Read the original article
Hit count: 204
we have a couple of servers with PAM+LDAP.
The configuration is standard (see http://arthurdejong.org/nss-pam-ldapd/setup or http://wiki.debian.org/LDAP/PAM). For example, /etc/pam.d/common-auth contains:
auth sufficient pam_unix.so nullok_secure
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth requiered pam_deny.so
And, of course, it works for both ldap and local users. But every login goes first to pam_unix.so, fails, and only then tries pam_ldap.so successfully. As a result, we have a well-known failure message for every single ldap user login:
pam_unix(<some_service>:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<some_host> user=<some_user>
I have up to 60000 of such log messages per day and I want to change the configuration so, that PAM will try ldap authentication first, and only if it fails - try pam_unix.so (I think it can improve the i/o performance of the server). But if I change common-auth to the following:
auth sufficient pam_ldap.so use_first_pass
auth sufficient pam_unix.so nullok_secure
auth requiered pam_deny.so
Then I simply can't login anymore with local (non-ldap) user (e.g., via ssh).
Does somebody knows the right configuration? Why Debian and nss-pam-ldapd have pam_unix.so at first by default? Is there really no way to change it?
Thank you in advance.
P.S. I don't want to disable logs, but want to set ldap authentication on the first place.
© Server Fault or respective owner