RSS feed

Re: nslcd (via pam), pam_authz_search and active directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd (via pam), pam_authz_search and active directory

On Tue, 2010-11-09 at 11:02 -0500, wrote:
> i'm trying to use pam_authz_search, but it appears (at least based on 
> the debug output of nslcd) that it is not being used.  i'm hoping 
> someone can tell me what i'm doing wrong (or what i'm missing).
> nslcd.conf and nslcd debug output below.

There are two problems with your configuration. First, you probably want
to include the username match in there (remember, a search like any
other is performed, it is not limited to the user object):


Second problem is that the PAM authorisation check isn't performed at
all for some reason (if there were a nslcd_pam_authz call should have
been logged). This is most likely a problem with your PAM account stack.
You have to ensure that pam_ldap is included in there somewhere.

You could have something like the following in /etc/pam.d/whatever:

account     required
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

Hope this helps.

-- arthur - - --
To unsubscribe send an email to or see