sorry for the repeated discussion. I sent this to the mailing list
MONTHS ago. Just got it now. Not sure why. I've added
"nss_initgroups_ignoreusers root,ldap,informix" and things seem to be
better now.
Thanks anyway
Patrick Wolfe wrote:
> I'm sure someone has solved this before.
>
> We're using nss_ldap and pam_ldap with openldap servers on CentOS 4 and
> FreeBSD 6. Everything is working fine, as long as connectivity to the
> openldap servers is working. Occationally, something will go wrong, a
> network change, or changing what net a host is connected to, and ldap
> connectivity is broken.
>
> The problem is, nobody can login when ldap isn't working, even root
> (which is a local account). I'm thinking it probably is the order of
> items in my /etc/pam.d/system-auth file. Here is what I have for our
> CentOS systems:
>
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account requisite /lib/security/$ISA/pam_access.so
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_localuser.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_ldap.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> minlen=11 difok=4
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
>
>
