libpam-ldap for Debian ---------------------- - Be very careful when you use "sufficient pam_ldap.so" in Debian's /etc/pam.d/common-* files: Some services can place other "required" PAM-modules after the includes, which will be ignored if pam_ldap.so succeeds. As a workaround, use something like the following construct: # Check local authentication first, so root can still login # while LDAP is down. auth [success=1 default=ignore] pam_unix.so auth required pam_ldap.so use_first_pass auth required pam_permit.so The third line is needed, so "success=1" can skip over one module and still has a module to jump to. Without that, PAM segfaults! - If you want to use the "pam_check_host_attr" feature, make sure "pam_unix.so" doesn't provide a valid "account" via the Name Service Switch (NSS), which overrides your LDAP configuration. Don't use "ldap" for "shadow" in /etc/nsswitch.conf, just use "shadow: files". For PAM, use something like the following: # Try local /etc/shadow first and skip LDAP on success account [success=1 default=ignore] pam_unix.so account required pam_ldap.so account required pam_permit.so - Debian uses /etc/pam_ldap.conf as libpam-ldap's configuration file and /etc/pam_ldap.secret as the file to store the password of the rootbinddn. - See LDAP-Permissions.txt for details about the required LDAP permissions.