Re: pam_ldap should return ignore when uid is less than minimum_uid

[twb-nss-pam-ldapd-users [at] cyber.com.au]

nia wrote:
> Below is part of my login PAM stack setup.
>       session required pam_unix.so
>       session required pam_ldap.so minimum_uid=10000
>
> This setup will not let root login. It will return with the following error:
>       User not known to the underlying authentication module
>
> When I changed to the following, the root login will succeed.
>       session required pam_unix.so
>       session [success=ok default=1] pam_succeed_if.so uid >= 10000
>       session required pam_ldap.so

FWIW Debian/Ubuntu pam-auth-update framework generates configs like this:

    # grep -v ^# /etc/pam.d/common-auth
    auth    [success=2 default=ignore]      pam_unix.so nullok_secure
    auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 
use_first_pass
    auth    requisite                       pam_deny.so
    auth    required                        pam_permit.so
    auth    optional                        pam_cap.so

I believe those first two lines mean:

    You can log in if you're a valid unix user **OR** a valid ldap user.

I believe your original rules (two "required"s) means:

    You can log in if you're a valid unix user **AND** a valid ldap user.

I'm always afraid to muck up my pam config, so I generally leave it to the 
experts.

Of course, even experts can muck up pam config:
https://coreos.com/blog/security-brief-coreos-linux-alpha-remote-ssh-issue.html


PS: pam-auth-update appears to be a Debian edit to the core pam package,
so it's probably nontrivial to cpan it into other OSs/distros:

    https://sources.debian.org/src/pam/1.1.8-3.7/debian/local/
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/