Gentoo Archives: gentoo-user

From: Stephane Pointu <stephane.pointu@××××××××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] pam_ccreds - Disconnected LDAP
Date: Tue, 20 Nov 2007 11:11:06
Message-Id: 4742BE05.9030101@purplelabs.com
1 Hi all,
2
3 I would like to use pam_ccreds to cache credentials for a user when the
4 LDAP server is not available (using a laptop for example).
5
6 I have installed pam_ccreds, nss_updatedb and nss-db,
7 And run "nss_updatedb ldap"
8 So the system has passwd and group info locally in /var/db/passwd.db and
9 /var/db/group.db. I have checked that they really contain all records
10 from the LDAP when disconnected.
11
12 When connected, the LDAP authentication works fine, however the user
13 cannot login when disconnected.
14
15 I noticed that pam_ccreds does not cache the credentials locally. I
16 checked this with cc_dump.
17
18 Did anyone come across this problem? How can I do more debug on this?
19
20 Below is how I've configured the laptop:
21
22 /etc/nsswitch.conf
23 passwd: files ldap [NOTFOUND=return] db
24 shadow: files ldap
25 group: files ldap [NOTFOUND=return] db
26
27
28 /etc/pam.d/system-auth
29 auth required pam_env.so
30 auth [user_unknown=ignore default=done] pam_unix.so likeauth
31 nullok shadow try_first_pass
32 auth [authinfo_unavail=ignore success=1 default=2]
33 pam_ldap.so try_first_pass
34 auth [default=done] pam_ccreds.so action=validate use_first_pass
35 auth [default=done] pam_ccreds.so action=store
36 auth [default=bad] pam_ccreds.so action=update
37 auth required pam_deny.so
38
39 account [user_unknown=ignore default=done] pam_unix.so
40 account sufficient pam_localuser.so
41 account sufficient pam_succeed_if.so uid < 100
42 account [authinfo_unavail=ignore default=done] pam_ldap.so
43 account [default=done] pam_permit.so
44
45 password required pam_cracklib.so difok=2 minlen=8 dcredit=2
46 ocredit=2 retry=3
47 password sufficient pam_unix.so nullok md5 shadow use_authtok
48 try_first_pass
49 password sufficient pam_ldap.so use_authtok use_first_pass
50 password required pam_deny.so
51
52 session required pam_limits.so
53 session required pam_unix.so
54 session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
55 session optional pam_ldap.so
56
57 Regards,
58 Stephane

Attachments

File name MIME type
signature.asc application/pgp-signature