Locate any entries in the original /etc/pam.conf file that direct the system to use a rule requiring PAM_UNIX_AUTH, and edit them to accept a binding directive and to pass the server_policy parameter to the PAM_UNIX_AUTH module.
The following output shows a diff between the original /etc/pam.conf file and the edited file.
Edit the file to add a new rule after the altered rule line. The /etc/pam.conf file is processed from the top down so line order is important.
The new rule requires the service to include PAM_LDAP when determining whether to accept an authentication request. The use_first_pass parameter tells the PAM_LDAP module that it must accept a password collected by an earlier rule’s module (usually satisfied by the PAM_AUTHTOK_GET module).
A use case that deserves special consideration is how PAM treats the login of a local user. A local user is a user who is permitted by /etc/nsswitch.conf directives to examine files (such as the root account) and is listed in the /etc/passwd file. Local users are not necessarily stored in the LDAP store.
Allowing the root user to be listed in the LDAP store would simplify management of an important user account that spans the topology. However, an equally powerful case could be made for systems whose root user must be kept “private” for a given machine.
To accommodate the need to keep an account (such as root) as a local user, PAM must be configured so it does not access the LDAP back-end store if the user information has been saved in the local files. This situation can be addressed by specifying the server_policy parameter for the PAM_UNIX_AUTH module in the /etc/pam.conf configuration file.