Re: Problem with PAM. ldap and su -
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Problem with PAM. ldap and su -
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: Problem with PAM. ldap and su -
- Date: Fri, 03 Jun 2011 13:45:38 +0200
On Mon, 2011-05-30 at 08:13 +0000, Teichert, Robert wrote:
> i have nslcd running on Ubuntu 10.10.
> Most of it seems to run fine but ONE thing is working not correct:
>
> root@vm1:/etc# su - UserB
> LDAP authorisation check failed
> su: Permission denied
> (Ignored)
> UserB@vm1:~$
>
> => That is definitely NOT ok. Both authentication mechanisms should
> prevent login (ldap and local passwd) whats going on here? How to
> prevent the login? The host based filtering ist managed by
> nslcd.conf enty pam_authz_search (&(uv-userName=
> $username)(uv-loginAllowed=true)(|(host=$hostname)(host=\\*)))
I think the PAM stack ignores the result of pam_ldap. Can you provide
your PAM authorisation (account) configuration? The "LDAP authorisation
check failed" is the message that is the shown when the pam_authz_search
provides no matches.
> root@vm1:/etc# su - UserC
> LDAP authorisation check failed
> UserC@vm1:~$
>
> => the result is ok, but the output is useless. any idea how to get
> rid of it?
If UserC doesn't exist in LDAP the authorisation search shouldn't be
performed and the PAM module should return USER_UNKNOWN.
Depending on your PAM stack you could use the ignore_unknown_user and/or
minimum_uid options to change how users are handled.
Without more information on your PAM stack and any nslcd (debugging)
output it is hard to say more.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
