I set up a pam authentication thowards Oracle Unified Directory on RH5 using the nslcd deamon.
I would like the authentication to first try for local users and then if no users found try to contact the LDAP. So I edited the /etc/nsswitch.conf in this way:
passwd: files ldap
shadow: files ldap
group: files ldap
But it seems this is not working since if the LDAP server is down, I'm not able to login to the server.
Am I missing something?
EDIT:
This is my PAM /etc/pam.d/system-auth (I'm not using sssd, only nslcd).
#%PAM-1.0
# This file is auto-generated.
auth required pam_env.so
auth sufficient pam_unix.so nullok
auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail
auth required pam_deny.so
account required pam_unix.so broken_shadow
account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_ldap.so try_first_pass ignore_unknown_user ignore_authinfo_unavail
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so ignore_authinfo_unavail
I set the system-auth at debug and this is the result:
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<dns_1>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<dns_2>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<ip_1>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<ip_2>:3389: Can't contact LDAP server
I've found out the problem.
The resolution is to change this line in the /etc/pam.d/systhem-auth-ac
:
account required pam_unix.so broken_shadow
into this:
account sufficient pam_unix.so broken_shadow
Be sure to change the same directive in the /etc/pam.d/password-auth-ac
if you have that file too. Now the whitelisting through nss_initgroups_ignoreusers
should work fine.
EDIT (some years later): the problem on this was that since the pam authentication works in cascade, there is no reason to go ahead in the account service if you already have a local account. So the first line (pam_unix.so) is enough for an authentication. Previously the stack kept check also the pam_ldap.so because all three lines were required to login, and if the ldap service is down or unreachable, the authentication stack breaks.