lists.arthurdejong.org
RSS feed

Re: pam_unix succeeds unexpectedly with libnss-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: pam_unix succeeds unexpectedly with libnss-ldapd



Christopher Price wrote:
> I am attempting to replace libnss-ldap with libnss-ldapd. I am running Ubuntu 
> 16.04 and controlling LDAP access via the pam_listfile module in 
> /etc/pam.d/common-account.
>
> /etc/pam.d/common-auth
> auth    required        pam_env.so envfile=/etc/default/locale
> auth    sufficient      pam_unix.so nullok_secure
> auth    required        pam_ldap.so use_first_pass
>
> /etc/pam.d/common-account
> account sufficient pam_unix.so
> account required pam_listfile.so onerr=fail item=group sense=allow 
> file=/etc/login.group.allowed
> account required pam_ldap.so

This works for me:

    /etc/pam.d/dovecot-staff.master.pam:
    auth required pam_listfile.so item=group sense=allow 
file=/etc/dovecot/dovecot-staff.master.groups onerr=fail
    @include common-auth
    @include common-account
    @include common-session

The most obvious thing I notice is that you're using pam_listfile in account, 
not auth.
This is contrary to the pam_listfile manpage examples.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/