RSS feed

Re: pam_ldap + no_warn + pam_authz_search = issue?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: pam_ldap + no_warn + pam_authz_search = issue?

On Fri, 2012-10-26 at 18:07 +1100, Lawrence Stewart wrote:
> Is having the no_warn option with a account entry expected
> to make that entry effectively a nop as far as the PAM stack is
> concerned? 

The no_warn option should only affect the error messages that get
reported back to the PAM application (and the user) with pam_error() and
shouldn't affect the result of the PAM operation as such (the ingore_*
options should only do this).

> root@newtcphub:/root # grep account /etc/pam.d/sshd
> # account
> account         required
> #account        required
> account         required
> account         sufficient      /usr/local/lib/
> account         required

The above would just mean that the result of pam_ldap is skipped if it
fails and pam_unix is tried instead. Whether pam_unix succeeds or fails
for LDAP users in such a set-up is very dependant on the NSS side of
things (at least on Linux, I can't say I know all the details of
FreeBSD's pam_unix).

It is probably better to use something like the following:

account required ignore_unknown_user

Another option is to do something like:

account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]

Also, you might consider adding ignore_authinfo_unavail to keep the
system accessible if the LDAP server is unavailable (also for the auth
phase). Another nice one to speed things up in case of networking
problems is minimum_uid.

If the authorisation step doesn't fail if the message is presented to
the user it could be that FreeBSD's PAM implementation (or SSH)
interprets any error messages shown as a PAM stack failure.

-- arthur - - --
To unsubscribe send an email to or see