mod_ldap config for two ldap servers

Kaleb Pederson kpederson at mail.ewu.edu
Thu Sep 9 16:07:12 UTC 2004 

I'm trying to get mod_ldap stacked so that it will search two different ldap 
servers on ssh authentication.  If I use either the first configuration or 
the second configuration it works fine.  When I try to stack the modules so 
that it will fallback to the second ldap server on failure, the first entry 
will work (whichever one it may be), but the second one never gets queried --  
(verified with tcpdump).

I'm sure I've missed something as I don't fully understand how the different 
pieces (auth/account/password/session) interact.  Can anybody lead me in the 
right direction?

The error that I get is:
... sshd(pam_unix)[32554]: authentication failure; logname= uid=0 euid=0 
tty=NODEVssh ruser= ...

---- /etc/pam.d/sshd ----
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

---- /etc/pam.d/system-auth ----
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
# if I swap the next two, whichever one is first works
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_ldap.so 
config=/etc/secondary.ldap.conf use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore 
system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok 
md5 shadow
# if I swap the next two, whichever one is first works
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    sufficient    /lib/security/$ISA/pam_ldap.so 
config=/etc/secondary.ldap.conf use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
# if I add in a second ldap entry here, neither of them will work
#session     optional      /lib/security/$ISA/pam_ldap.so 
config=/etc/secondary.ldap.conf

Thanks for the help.

--Kaleb

More information about the Pam-list mailing list