lists.arthurdejong.org
RSS feed

RE: system (pam) don't works right

[Date Prev][Date Next] [Thread Prev][Thread Next]

RE: system (pam) don't works right



Yes, ignore_unknown_user works with required!!! Thank you. But I do not 
understand, why my config work in sshd and do not work in system (login include 
system config)?! Why pam_unix.so returned success for user in ldap after 
pam_ldap.so returned failure?!

On Thu, 2011-04-21 at 19:56 +0400, Варнаков Кирилл wrote:
> Hi, I use this options in system (/etc/pam.d/) config in freebsd:
> 
> # account
> account         required        pam_login_access.so
> account         sufficient      /usr/local/lib/pam_ldap.so
> account         required        pam_unix.so 
> 
> and this filter in NSLCD:
> 
> pam_authz_search 
> (&(AccountEnable=TRUE)(uid=$username)(|(memberOf=cn=$hostname,ou=serve
> rs,ou=sys,o=test,c=ru)(memberOf=cn=$hostname,ou=$service,ou=servers,ou
> =sys,o=test,c=ru)))
> 
> if I delete myself from all groups in ldap server, I still can login 
> from console on the server. If I use same config in sshd (/etc/pam.d/) 
> I cannot login under openssh, ie it works correctly. Why?

I'm not a too big an export on PAM stuff but are you sure both applications 
(presumably login and sshd) have the same config?

Note that with the sufficient keyword there should be a fallback to the 
pam_unix module if pam_ldap returned failure. You may want to make it required 
and use the ignore_unknown_user option here.

--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users