Re: Problem using pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Guillaume HERAIL <guillaume.herail [at] gmail.com>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Problem using pam_authz_search
Date: Thu, 05 May 2011 23:00:14 +0200

On Wed, 2011-05-04 at 15:36 +0200, Guillaume HERAIL wrote:
> I set pam_authz_search in nslcd.conf but it seems to be ignored, i
> think it is related to my pam config but i can't see where.
> 
> /etc/pam.d/common-account
> --
> account [success=2 new_authtok_reqd=done default=ignore]       pam_unix.so
> account [success=1 default=ignore]      pam_ldap.so
> account requisite                       pam_deny.so
> account required                        pam_permit.so
> 
> I can't see any reference to nslcd_authz_search when in run nslcd in
> debug mode.

The problem is that if pam_unix succeeds pam_ldap is skipped. The
easiest way to force pam_unix to fail in this set-up is to not provide
shadow information through LDAP in /etc/nsswitch.conf.

This does however mean that password expiration set in the shadow
attributes is no longer validated (the next development version will
duplicate this checking in the pam_ldap authorisation check though).

Another option would be to rearrange your PAM stack (the problem with
PAM is that there are a million ways to describe basically the same
thing) like so:

account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_unix.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000

or (this is currently the Debian default):

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
account requisite                       pam_deny.so
account required                        pam_permit.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000

I would recommend passing the minimum_uid option to pam_ldap to avoid
clutter in the logs and avoid unnecessary LDAP lookups.

Hope this helps.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Problem using pam_authz_search, Guillaume HERAIL
- Re: Problem using pam_authz_search, Arthur de Jong

Prev by Date: Re: Question about passing messages back from LDAP
Next by Date: nslcd starts failing logins after about an hour.
Previous by thread: Problem using pam_authz_search
Next by thread: nslcd starts failing logins after about an hour.