pam_ldap should return ignore when uid is less than minimum_uid

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: nia <nia1048596 [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: pam_ldap should return ignore when uid is less than minimum_uid
Date: Fri, 04 May 2018 21:21:52 +0800

Hi,

Below is part of my login PAM stack setup.
        session required pam_unix.so
        session required pam_ldap.so minimum_uid=10000

This setup will not let root login. It will return with the following error:
        User not known to the underlying authentication module

When I changed to the following, the root login will succeed.
        session required pam_unix.so
        session [success=ok default=1] pam_succeed_if.so uid >= 10000
        session required pam_ldap.so

It seems that if the test 'minimum_uid=10000' failed, pam_ldap will return PAM 
bad (or something not ok), rather than PAM ignore, which is what I expected by 
reading the man page:
minimum_uid=UID
        This option causes the PAM module to ignore the user if the user id is 
lower than the specified value. This can be used to bypass LDAP checks for 
system users (e.g. by setting it to 1000). 

By reading the source code, add ignore_unknown_user will do the 
trick anyway.


-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

pam_ldap should return ignore when uid is less than minimum_uid, nia

Re: pam_ldap should return ignore when uid is less than minimum_uid, twb-nss-pam-ldapd-users

Prev by Date: Re: AD group membership second method
Next by Date: Re: pam_ldap should return ignore when uid is less than minimum_uid
Previous by thread: Re: AD group membership second method
Next by thread: Re: pam_ldap should return ignore when uid is less than minimum_uid