I have set up my system to allow either LDAP or the local password for login. I did this by adding "password sufficient pam_ldap.so" to PAM and calling "pam_unix2.so" afterwards.
However I would like to require a certain group of users to authenticate against LDAP only, disallowing the fallback of pam_unix2.so. Is there way of doing this?
Best Answer
Create a group called
ldaponly
and put all of your LDAP-only users into it. Then, in your PAM configuration, use thepam_succeed_if
module to skip thepam_unix2
module when the user is in theldaponly
group.