RE: system (pam) don't works right
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
RE: system (pam) don't works right
- From: Варнаков Кирилл <kvarnakov [at] cair.ru>
- To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: RE: system (pam) don't works right
- Date: Sat, 23 Apr 2011 17:16:53 +0400
Yes, ignore_unknown_user works with required!!! Thank you. But I do not
understand, why my config work in sshd and do not work in system (login include
system config)?! Why pam_unix.so returned success for user in ldap after
pam_ldap.so returned failure?!
On Thu, 2011-04-21 at 19:56 +0400, Варнаков Кирилл wrote:
> Hi, I use this options in system (/etc/pam.d/) config in freebsd:
>
> # account
> account required pam_login_access.so
> account sufficient /usr/local/lib/pam_ldap.so
> account required pam_unix.so
>
> and this filter in NSLCD:
>
> pam_authz_search
> (&(AccountEnable=TRUE)(uid=$username)(|(memberOf=cn=$hostname,ou=serve
> rs,ou=sys,o=test,c=ru)(memberOf=cn=$hostname,ou=$service,ou=servers,ou
> =sys,o=test,c=ru)))
>
> if I delete myself from all groups in ldap server, I still can login
> from console on the server. If I use same config in sshd (/etc/pam.d/)
> I cannot login under openssh, ie it works correctly. Why?
I'm not a too big an export on PAM stuff but are you sure both applications
(presumably login and sshd) have the same config?
Note that with the sufficient keyword there should be a fallback to the
pam_unix module if pam_ldap returned failure. You may want to make it required
and use the ignore_unknown_user option here.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
