RSS feed

Re: nslcd (via pam), pam_authz_search and active directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd (via pam), pam_authz_search and active directory

thanks - the problem was me not understanding that pam_authz_search was triggered from the account stack. i was expecting (i'm not sure why) it to be called from the auth stack.

the vrdp/pam stuff with virtualbox has been a bit of an enigma to me, and i wasn't initially using any account statements in the pam config. after adding a properly constructed account stack, it's working just great.

thanks again

On 2010.11.09 12.43, Arthur de Jong wrote:
On Tue, 2010-11-09 at 11:02 -0500, wrote:
i'm trying to use pam_authz_search, but it appears (at least based on
the debug output of nslcd) that it is not being used.  i'm hoping
someone can tell me what i'm doing wrong (or what i'm missing).

nslcd.conf and nslcd debug output below.

There are two problems with your configuration. First, you probably want
to include the username match in there (remember, a search like any
other is performed, it is not limited to the user object):


Second problem is that the PAM authorisation check isn't performed at
all for some reason (if there were a nslcd_pam_authz call should have
been logged). This is most likely a problem with your PAM account stack.
You have to ensure that pam_ldap is included in there somewhere.

You could have something like the following in /etc/pam.d/whatever:

account     required
account     sufficient uid<  1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

Hope this helps.
To unsubscribe send an email to or see