Re: pam_ldap + no_warn + pam_authz_search = issue?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: pam_ldap + no_warn + pam_authz_search = issue?
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: pam_ldap + no_warn + pam_authz_search = issue?
- Date: Fri, 26 Oct 2012 15:09:44 +0200
On Fri, 2012-10-26 at 18:07 +1100, Lawrence Stewart wrote:
> Is having the no_warn option with a pam_ldap.so account entry expected
> to make that entry effectively a nop as far as the PAM stack is
> concerned?
The no_warn option should only affect the error messages that get
reported back to the PAM application (and the user) with pam_error() and
shouldn't affect the result of the PAM operation as such (the ingore_*
options should only do this).
> root@newtcphub:/root # grep account /etc/pam.d/sshd
> # account
> account required pam_nologin.so
> #account required pam_krb5.so
> account required pam_login_access.so
> account sufficient /usr/local/lib/pam_ldap.so
> account required pam_unix.so
The above would just mean that the result of pam_ldap is skipped if it
fails and pam_unix is tried instead. Whether pam_unix succeeds or fails
for LDAP users in such a set-up is very dependant on the NSS side of
things (at least on Linux, I can't say I know all the details of
FreeBSD's pam_unix).
It is probably better to use something like the following:
account required pam_ldap.so ignore_unknown_user
Another option is to do something like:
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_ldap.so
Also, you might consider adding ignore_authinfo_unavail to keep the
system accessible if the LDAP server is unavailable (also for the auth
phase). Another nice one to speed things up in case of networking
problems is minimum_uid.
If the authorisation step doesn't fail if the message is presented to
the user it could be that FreeBSD's PAM implementation (or SSH)
interprets any error messages shown as a PAM stack failure.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
