On Mon, Jan 28, 2002 at 11:10:09PM +1100, Russell Coker wrote: > On Mon, 28 Jan 2002 21:31, Florian Bantner wrote: [snip] > > auth sufficient pam_rootok.so > > auth sufficient pam_ldap.so > > auth required pam_unix.so use_first_pass > > account sufficient pam_ldap.so > > account required pam_unix.so > > session required pam_unix.so > > I suggest putting pam_unix first and pam_ldap later in the > list. If you do otherwise then an LDAP problem can make it > impossible to login which is a real bitch. I once had that > happen to servers at a secure hosting facility, that was a > real PITA. [snip]
I haven't looked at the PAM docs enough or bothered testing this, but I think what Florian has above should be fine. pam_ldap.so is "sufficient" so that if LDAP is working and he types in the right user/pass combination, it should let him in. If LDAP is not working, it should fall through to pam_unix.so and also use the password he already typed in for pam_ldap.so. -- Michael Wood <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]