system (pam) don't works right

[Варнаков Кирилл <kvarnakov [at] cair.ru>]

Hi, I use this options in system (/etc/pam.d/) config in freebsd:

 

# auth

auth            sufficient      pam_opie.so                     no_warn no_fake_prompts

auth            requisite       pam_opieaccess.so               no_warn allow_local

auth            sufficient      /usr/local/lib/pam_ldap.so      try_first_pass

auth            required        pam_unix.so                     no_warn try_first_pass

 

# account

account         required        pam_login_access.so

account         sufficient      /usr/local/lib/pam_ldap.so

account         required        pam_unix.so

 

# session

session         required        pam_lastlog.so                  no_fail

session         optional        /usr/local/lib/pam_ldap.so

session         optional        /usr/local/lib/pam_mkhomedir.so

 

# password

password        required        pam_unix.so                     no_warn try_first_pass

 

and this filter in NSLCD:

 

pam_authz_search (&(AccountEnable=TRUE)(uid=$username)(|(memberOf=cn=$hostname,ou=servers,ou=sys,o=test,c=ru)(memberOf=cn=$hostname,ou=$service,ou=servers,ou=sys,o=test,c=ru)))

 

if I delete myself from all groups in ldap server, I still can login from console on the server. If I use same config in sshd (/etc/pam.d/) I cannot login under openssh, ie it works correctly. Why?

---

Best regards, Varnakov Kiril

 

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users