Pam authentication, try first local user and then LDAP

Question

I set up a pam authentication thowards Oracle Unified Directory on RH5 using the nslcd deamon.

I would like the authentication to first try for local users and then if no users found try to contact the LDAP. So I edited the /etc/nsswitch.conf in this way:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

But it seems this is not working since if the LDAP server is down, I'm not able to login to the server.

Am I missing something?

EDIT:

This is my PAM /etc/pam.d/system-auth (I'm not using sssd, only nslcd).

#%PAM-1.0
# This file is auto-generated.
auth      required      pam_env.so
auth      sufficient    pam_unix.so nullok
auth      sufficient    pam_ldap.so  use_first_pass ignore_authinfo_unavail
auth      required      pam_deny.so

account   required      pam_unix.so broken_shadow
account   required      pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account   required      pam_permit.so

password  requisite     pam_cracklib.so try_first_pass retry=3
password  sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password  required     pam_ldap.so try_first_pass ignore_unknown_user ignore_authinfo_unavail
password  required     pam_deny.so

session   optional      pam_keyinit.so revoke
session   required      pam_limits.so
session   optional      pam_mkhomedir.so skel=/etc/skel umask=077
session   [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session   required      pam_unix.so
session   optional      pam_ldap.so   ignore_authinfo_unavail

I set the system-auth at debug and this is the result:

Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<dns_1>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<dns_2>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<ip_1>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<ip_2>:3389: Can't contact LDAP server

Answer 1

I've found out the problem.

The resolution is to change this line in the /etc/pam.d/systhem-auth-ac:

account   required      pam_unix.so broken_shadow

into this:

account   sufficient      pam_unix.so broken_shadow

Be sure to change the same directive in the /etc/pam.d/password-auth-ac if you have that file too. Now the whitelisting through nss_initgroups_ignoreusers should work fine.

EDIT (some years later): the problem on this was that since the pam authentication works in cascade, there is no reason to go ahead in the account service if you already have a local account. So the first line (pam_unix.so) is enough for an authentication. Previously the stack kept check also the pam_ldap.so because all three lines were required to login, and if the ldap service is down or unreachable, the authentication stack breaks.

Answer 2

For anyone on Debian

diff /etc/pam.d/common-account ...
...
+account        [success=done new_authtok_reqd=done default=ignore]     pam_unix.so 
-account        [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so

Answer 3

I haven't find an answer yet. It still trying to contact the LDAP server but I've added the nss_initgroups_ignoreusers directive in the /etc/ldap.conf. So, for the users declared in this directive, even if all the LDAP SERVICE is down you can login to the machine.

This directive just works only if the LDAP SERVICE is DOWN but the machine is up & running cause it still stry to bind the LDAP SERVER.

In order to avoid idle timeout you have to add also this directive idle_timelimit to the /etc/ldap.conf in order to timeout the connection to the LDAP SERVER if the ack knowledge fails.

Anyway these are two workaround and not a resolution of the problem.