Frank Sorenson wrote:
Mike Lovell wrote:
I am trying to get an LDAP working for an environment that I have.
Currently, the LDAP is working an I can authenticate the LDAP and
everything is working fine. The one complaint I have is that one user
or group lookup where the local account information is sufficient,
there is still an query going again LDAP. Does anyone know if it is
possible to configure things so that if there is a result found in
/etc/passwd and /etc/group to then not do a query against the LDAP? I
am wanting to deploy this in an environment that is doing a ton of
file operations as a particular user that is already on the local
machines and I don't want queries hitting the LDAP all of the time
and killing it. I know nscd will cache the info but I am wanting to
not hit the LDAP for that user at all. Here is what I have in my
nsswitch.conf.
The nsswitch.conf looks fine. I'd look into the ordering of the pam
stack. Check for references to pam_ldap.so in the
/etc/pam.d/system-auth or service-specific configuration, and make
sure that the ordering there only goes to ldap if it's not found
locally. For example:
|auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so|
and
|account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so|
Frank
I think I have it working now. Putting the pam_ldap.so lines below the
pam_unix.so lines was what I tried first and that resulted in queries
happening against the ldap. After I changed the pam_unix.so lines to be
sufficient for pam_unix.so instead of required, it started working the
way i expected. My only question is there any problem with changing the
pam_unix.so to be sufficient instead of required? I am kind of a pam
n00b. Thanks
Mike
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
