If {nss,pam}_ldap is configured to check for "host" attribute to do authorization, local user (defined in /etc/{passwd,shadow} files) will not be able to log in (root user should never be in ldap). There are also lots of other problems described in URL that I specified. Fix is to configure /etc/pam.d/system-auth, account section, to look like this: account requisite pam_unix.so account sufficient pam_localuser.so account required pam_ldap.so Reproducible: Always Steps to Reproduce:
I don't see any connection at all between $URL and Gentoo, maybe you should report it to the original author.
That url explains the solution http://meltin.net/people/martin/publications/polythenepam.html if you don't mind reading that 150kn pdf :)
Hmm, should not this be assigned to pam herd then? No, I did not bother reading the PDF. ;p
Well, I'm sorry, but I still can't see any relation neither with Gentoo, nor Gentoo docs...
(In reply to comment #4) > Well, I'm sorry, but I still can't see any relation neither with Gentoo, nor > Gentoo docs... Neither can I. CCing pam herd, maybe they have some brilliant ideas :)
(In reply to comment #5) > (In reply to comment #4) > > Well, I'm sorry, but I still can't see any relation neither with Gentoo, nor > > Gentoo docs... > > Neither can I. CCing pam herd, maybe they have some brilliant ideas :) Sorry i forgot to mention that this is related to: http://www.gentoo.org/doc/en/ldap-howto.xml
(In reply to comment #0) It is actually more genereal. If local user (eg. root) is not in ldap, he will not be able to login with pam configuration shown in manual.
(In reply to comment #7) > (In reply to comment #0) > > It is actually more genereal. If local user (eg. root) is not in ldap, he will > not be able to login with pam configuration shown in manual. Now I found that root can't change it's password. But when I change /etc/pam.d/system-auth (password directive) to: password sufficient pam_ldap.so use_authok use_first_pass it's ok. It also resolves problem when user (in ldap) is changing password and /etc/pam.d/system-auth has password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret ry=3 user is asked to enter it's new password 4 times!? akovac2@prelog ~ $ passwd Enter login(LDAP) password: New UNIX password: Retype new UNIX password: New password: Re-enter new password: LDAP password information changed for akovac2 passwd: password updated successfully so I think that correct configuration for pam_ldap in /etc/pam.d/system-auth should be: akovac2@prelog ~ $ cat /etc/pam.d/system-auth #%PAM-1.0 # 12.08.2005. Alen Kovac # - pam_ldap auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account requisite pam_unix.so account sufficient pam_localuser.so account required pam_ldap.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authok use_first_pass password required pam_deny.so # umask=0066 drwx--x--x session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0066 session optional pam_ldap.so also there is bug in documentation regarding umask=0. It create 777 home dirs!? so umask=0066 it's fine by me. SUMMARY of changes: 1) account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so to: account requisite pam_unix.so account sufficient pam_localuser.so account required pam_ldap.so 2) password sufficient /lib/security/pam_ldap.so use_authtok to: password sufficient pam_ldap.so use_authok use_first_pass 3) session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0 to session required pam_mkhomedir.so skel=/etc/skel umask=0066 Any comments? I'm not pam nor ldap expert but IMHO this should be correct configuration. Alen
Fixed in CVS. Thanks for the update - that PAM stuff isn't that obvious...
