Hi
I set up my FreeBSD 10.0 RELEASE to authenticate against OpenLDAP, which is installed non-redundant on the very same host. I'm using pam_ldap as described in the following tutorial: http://www.freebsd.org/doc/en/articles/ldap-auth/client.html. Fortunately it seems working quite nice, even though this little anoying problem: If slapd for what ever reason dies / isn't available to pam_ldap, then neither system- nor LDAP-logins are possible anymore. In other words: I'm locked out ;(
Of course it would be lovely to have pam.d configurations which are always giving permission to local system accounts (/etc/passwd) - no matter whether LDAP is reachable or not. Is this possible to configure within pam.d configurations - or do I have to implement a separate shell script which will periodically check for LDAP availability and change pam.d configurations according to it's result?
Those are my following configurations of pam.d:
/etc/pam.d/system
/etc/pam.d/sshd
/etc/pam.d/su
Any hints of what I'm missing to aim my goal are much appreciated
Thanks & best regards
I set up my FreeBSD 10.0 RELEASE to authenticate against OpenLDAP, which is installed non-redundant on the very same host. I'm using pam_ldap as described in the following tutorial: http://www.freebsd.org/doc/en/articles/ldap-auth/client.html. Fortunately it seems working quite nice, even though this little anoying problem: If slapd for what ever reason dies / isn't available to pam_ldap, then neither system- nor LDAP-logins are possible anymore. In other words: I'm locked out ;(
Of course it would be lovely to have pam.d configurations which are always giving permission to local system accounts (/etc/passwd) - no matter whether LDAP is reachable or not. Is this possible to configure within pam.d configurations - or do I have to implement a separate shell script which will periodically check for LDAP availability and change pam.d configurations according to it's result?
Those are my following configurations of pam.d:
/etc/pam.d/system
Code:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
/etc/pam.d/sshd
Code:
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
/etc/pam.d/su
Code:
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser
auth include system
# account
account include system
# session
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
Any hints of what I'm missing to aim my goal are much appreciated
Thanks & best regards