Re: system (pam) don't works right

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: system (pam) don't works right
Date: Sat, 23 Apr 2011 13:21:12 +0200

On Thu, 2011-04-21 at 19:56 +0400, Варнаков Кирилл wrote:
> Hi, I use this options in system (/etc/pam.d/) config in freebsd:
> 
> # account
> account         required        pam_login_access.so
> account         sufficient      /usr/local/lib/pam_ldap.so
> account         required        pam_unix.so 
> 
> and this filter in NSLCD:
> 
> pam_authz_search 
> (&(AccountEnable=TRUE)(uid=$username)(|(memberOf=cn=$hostname,ou=servers,ou=sys,o=test,c=ru)(memberOf=cn=$hostname,ou=$service,ou=servers,ou=sys,o=test,c=ru)))
>  
> 
> if I delete myself from all groups in ldap server, I still can login
> from console on the server. If I use same config in sshd (/etc/pam.d/)
> I cannot login under openssh, ie it works correctly. Why?

I'm not a too big an export on PAM stuff but are you sure both
applications (presumably login and sshd) have the same config?

Note that with the sufficient keyword there should be a fallback to the
pam_unix module if pam_ldap returned failure. You may want to make it
required and use the ignore_unknown_user option here.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

system (pam) don't works right, Варнаков Кирилл
- Re: system (pam) don't works right, Arthur de Jong

Prev by Date: do not make on freebsd 8.2
Next by Date: Re: do not make on freebsd 8.2
Previous by thread: system (pam) don't works right
Next by thread: RE: system (pam) don't works right