(Answer) (Category) Products of Aardvarks With Chisels : (Category) Linux : (Category) LDAP stuff : (Category) HOW-TO :
/etc/pam.d
Again, first open up 2 console windows. Change stuff in one, and leave the other one open and logged in as root so you can fix problems while you test in the other one. If you break PAM, you might not be able to log in at all, but an already logged-in terminal will still work. Also, "cp -r /etc/pam.d /etc/pam.orig" so you'll have a backup.

You can usually just copy the default files that came with the pam_ldap distribution to your /etc/pam.d directory and make only minor changes. On SuSE, you need to change every instance of pam_pwdb.so to pam_unix.so. Also, I've had problems with the passwd file. Here are 2 of my sample files from a SuSE system: 

sauer@venus:~ > cat /etc/pam.d/login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_ldap.so
password   required     /lib/security/pam_unix.so use_first_pass
session    required     /lib/security/pam_unix_session.so
#session    optional     /lib/security/pam_console.so
sauer@venus:~ > cat /etc/pam.d/passwd
#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
#password   required    /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_unix_passwd.so try_first_pass
As you can see, I changed the pwdb entries, and commented out the cracklib line in passwd. I also commented out the cracklib line in chsh... These files are set up to check LDAP first, and then check the system db if that fails. That's usually what you want. Make sure not to have a root account in the LDAP database, though - if you can avoid it. I messed that up, and wondered why root could log into any machine with either of 2 passwords until I figured that one out...
[Append to This Answer]
2000-Jun-22 12:54am
Previous: (Answer) /etc/nsswitch.conf
Next: (Answer) Migrating to LDAP
This document is: http://www.cloudmaster.com/~sauer/projects/index.cgi?file=48
[Search] [Appearance]
This is a Faq-O-Matic 2.719.
This FAQ administered by sauer@cloudmaster.com