----- Original Message ----
From: Tony Earnshaw <tonni@hetnet.nl>
To: openldap-technical@openldap.org
Sent: Thursday, February 21, 2008 9:58:57 PM
Subject: Re: using LDAP as central authentication unit

Hamidreza Hamedtoolloei skrev, on 22-02-2008 03:21:

> I've followed one of the online instructions on how to configure my
> system to use ldap as the user authentication mechanism. below is
> partial  content of my /etc/pam.d/system.auth file:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>
> looking at some online resources about how pam works, it seems that unix
> authentication is being applied first, and only if it fails, ldap
> authentication is applied. Am I correct here? In other words if all the
> users are still in /etc/shadow and /etc/passd files.... ldap is NOT
> being used for authentication. If I delete the users from /etc/passwd...
> then LDAP is used.... right>?

No, all the modules will be used, but the way they are treated depends
on the modifiers {sufficient,required,requisite} and
{use_first_pass,try_first_pass,null} (unless you're using Solaris >= 10
where they've been obsoleted).

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl