1 |
Hi all, |
2 |
|
3 |
I would like to use pam_ccreds to cache credentials for a user when the |
4 |
LDAP server is not available (using a laptop for example). |
5 |
|
6 |
I have installed pam_ccreds, nss_updatedb and nss-db, |
7 |
And run "nss_updatedb ldap" |
8 |
So the system has passwd and group info locally in /var/db/passwd.db and |
9 |
/var/db/group.db. I have checked that they really contain all records |
10 |
from the LDAP when disconnected. |
11 |
|
12 |
When connected, the LDAP authentication works fine, however the user |
13 |
cannot login when disconnected. |
14 |
|
15 |
I noticed that pam_ccreds does not cache the credentials locally. I |
16 |
checked this with cc_dump. |
17 |
|
18 |
Did anyone come across this problem? How can I do more debug on this? |
19 |
|
20 |
Below is how I've configured the laptop: |
21 |
|
22 |
/etc/nsswitch.conf |
23 |
passwd: files ldap [NOTFOUND=return] db |
24 |
shadow: files ldap |
25 |
group: files ldap [NOTFOUND=return] db |
26 |
|
27 |
|
28 |
/etc/pam.d/system-auth |
29 |
auth required pam_env.so |
30 |
auth [user_unknown=ignore default=done] pam_unix.so likeauth |
31 |
nullok shadow try_first_pass |
32 |
auth [authinfo_unavail=ignore success=1 default=2] |
33 |
pam_ldap.so try_first_pass |
34 |
auth [default=done] pam_ccreds.so action=validate use_first_pass |
35 |
auth [default=done] pam_ccreds.so action=store |
36 |
auth [default=bad] pam_ccreds.so action=update |
37 |
auth required pam_deny.so |
38 |
|
39 |
account [user_unknown=ignore default=done] pam_unix.so |
40 |
account sufficient pam_localuser.so |
41 |
account sufficient pam_succeed_if.so uid < 100 |
42 |
account [authinfo_unavail=ignore default=done] pam_ldap.so |
43 |
account [default=done] pam_permit.so |
44 |
|
45 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
46 |
ocredit=2 retry=3 |
47 |
password sufficient pam_unix.so nullok md5 shadow use_authtok |
48 |
try_first_pass |
49 |
password sufficient pam_ldap.so use_authtok use_first_pass |
50 |
password required pam_deny.so |
51 |
|
52 |
session required pam_limits.so |
53 |
session required pam_unix.so |
54 |
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066 |
55 |
session optional pam_ldap.so |
56 |
|
57 |
Regards, |
58 |
Stephane |