RSS feed

Re: Problem with PAM. ldap and su -

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Problem with PAM. ldap and su -

On Mon, 2011-05-30 at 08:13 +0000, Teichert, Robert wrote:
> i have nslcd running on Ubuntu 10.10.
> Most of it seems to run fine but ONE thing is working not correct:
> root@vm1:/etc# su - UserB
> LDAP authorisation check failed
> su: Permission denied
> (Ignored)
> UserB@vm1:~$
> => That is definitely NOT ok. Both authentication mechanisms should
>    prevent login (ldap and local passwd) whats going on here? How to
>    prevent the login? The host based filtering ist managed by
>    nslcd.conf enty pam_authz_search (&(uv-userName=
>    $username)(uv-loginAllowed=true)(|(host=$hostname)(host=\\*)))

I think the PAM stack ignores the result of pam_ldap. Can you provide
your PAM authorisation (account) configuration? The "LDAP authorisation
check failed" is the message that is the shown when the pam_authz_search
provides no matches.

> root@vm1:/etc# su - UserC
> LDAP authorisation check failed
> UserC@vm1:~$
> => the result is ok, but the output is useless. any idea how to get
>    rid of it?

If UserC doesn't exist in LDAP the authorisation search shouldn't be
performed and the PAM module should return USER_UNKNOWN.

Depending on your PAM stack you could use the ignore_unknown_user and/or
minimum_uid options to change how users are handled.

Without more information on your PAM stack and any nslcd (debugging)
output it is hard to say more.

-- arthur - - --
To unsubscribe send an email to or see