> The problem is probably in pam. Lot s of internet docs have incorrect
> info advice and say.
> account required pam_nologin.so
> account sufficient pam_ldap.so
>
> When you do that you get the situation you have now. In some phases of
> login sufficient becomes required.
>
> Try this:
B
Also much documentation on the internet is plain wrong and untested.
For example people will say this is ok:
#%PAM-1.0
auth sufficient pam_ldap.so
auth include system-auth
accountrequired pam_nologin.so
accountsufficient pam_ldap.so
accountinclude system-auth
My LDAP server is working well, but at this point we're not ready to
make the jump over to LDAP-only authentication. I would like to keep
regular shadow passwords working for a while. I have run
authconfig-tui on one of the CentOS clients and made sure "Use MD5
passwords", "Use Shadow Passwords",
