RSS feed

RE: system (pam) don't works right

[Date Prev][Date Next] [Thread Prev][Thread Next]

RE: system (pam) don't works right

Yes, ignore_unknown_user works with required!!! Thank you. But I do not 
understand, why my config work in sshd and do not work in system (login include 
system config)?! Why returned success for user in ldap after returned failure?!

On Thu, 2011-04-21 at 19:56 +0400, Варнаков Кирилл wrote:
> Hi, I use this options in system (/etc/pam.d/) config in freebsd:
> # account
> account         required
> account         sufficient      /usr/local/lib/
> account         required 
> and this filter in NSLCD:
> pam_authz_search 
> (&(AccountEnable=TRUE)(uid=$username)(|(memberOf=cn=$hostname,ou=serve
> rs,ou=sys,o=test,c=ru)(memberOf=cn=$hostname,ou=$service,ou=servers,ou
> =sys,o=test,c=ru)))
> if I delete myself from all groups in ldap server, I still can login 
> from console on the server. If I use same config in sshd (/etc/pam.d/) 
> I cannot login under openssh, ie it works correctly. Why?

I'm not a too big an export on PAM stuff but are you sure both applications 
(presumably login and sshd) have the same config?

Note that with the sufficient keyword there should be a fallback to the 
pam_unix module if pam_ldap returned failure. You may want to make it required 
and use the ignore_unknown_user option here.

-- arthur - - --

To unsubscribe send an email to or see