LDAP user authentication - Security

This is a discussion on LDAP user authentication - Security ; Hi! I have recently switched a samba server (Debian Etch) to authenticate the users with a ldap directory. It works fine, however the system is also trying to authenticate the root user and other local users with the directory. When ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: LDAP user authentication

  1. LDAP user authentication

    Hi!
    I have recently switched a samba server (Debian Etch) to authenticate
    the users with a ldap directory. It works fine, however the system is
    also trying to authenticate the root user and other local users with the
    directory. When the ldap server is down, or if there is no root user in
    the ldap directory the authentication fails and I can't log in (ssh, su,
    console).

    I want the server to query the /etc/password file first, and then to
    fall back on the ldap server (and thus ignoring a root user from the
    directory). How do I achieve that?

    My config files:

    # /etc/nsswitch.conf
    passwd: compat ldap
    shadow: compat ldap
    group: compat ldap

    # /etc/pam.d/common-auth
    auth required pam_unix.so nullok_secure
    auth sufficient pam_ldap.so use_first_pass
    auth required pam_deny.so

    # /etc/pam.d/common-session
    session required pam_unix.so
    session optional pam_ldap.so

    # /etc/pam.d/common-password
    password required pam_unix.so nullok obscure min=4 max=8 md5
    password sufficient pam_ldap.so use_authtok
    password required pam_deny.so

    # /etc/pam.d/common-account
    account required pam_unix.so
    account sufficient pam_ldap.so


    Beste Grüße
    Maro¨

  2. Re: LDAP user authentication

    Maros Kollar wrote:
    > Hi!
    > I have recently switched a samba server (Debian Etch) to authenticate
    > the users with a ldap directory. It works fine, however the system is
    > also trying to authenticate the root user and other local users with the
    > directory. When the ldap server is down, or if there is no root user in
    > the ldap directory the authentication fails and I can't log in (ssh, su,
    > console).
    >
    > I want the server to query the /etc/password file first, and then to
    > fall back on the ldap server (and thus ignoring a root user from the
    > directory). How do I achieve that?
    >
    > My config files:
    >
    > # /etc/nsswitch.conf
    > passwd: compat ldap
    > shadow: compat ldap
    > group: compat ldap
    >
    > [snip]


    "files ldap" not "compat ldap"

+ Reply to Thread