pam_ccreds - Disconnected LDAP

[spointu]

Hi all,

I would like to use pam_ccreds to cache credentials for a user when the
LDAP server is not available (using a laptop for example).

I have installed pam_ccreds, nss_updatedb and nss-db,
And run "nss_updatedb ldap"
So the system has passwd and group info locally in /var/db/passwd.db and
/var/db/group.db. I have checked that they really contain all records
from the LDAP when disconnected.

When connected, the LDAP authentication works fine, however the user
cannot login when disconnected.

I noticed that pam_ccreds does not cache the credentials locally. I
checked this with cc_dump.

Did anyone come across this problem? How can I do more debug on this?

Below is how I've configured the laptop:

/etc/nsswitch.conf
passwd: files ldap [NOTFOUND=return] db
shadow: files ldap
group: files ldap [NOTFOUND=return] db


/etc/pam.d/system-auth
auth required pam_env.so
auth [user_unknown=ignore default=done] pam_unix.so likeauth nullok shadow try_first_pass
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so try_first_pass
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth required pam_deny.so

account [user_unknown=ignore default=done] pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 100
account [authinfo_unavail=ignore default=done] pam_ldap.so
account [default=done] pam_permit.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok try_first_pass
password sufficient pam_ldap.so use_authtok use_first_pass
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional pam_ldap.so

Regards,
Stephane