Pam Authorization Problem
jesk
jesk at killall.org
Thu Nov 18 01:27:25 PST 2004
>> Because you have specified that the failure of pam_ldap is not fatal to
>> the account stack. The "sufficient" control means:
>> If this module returns success, then stop stack processing and return
>> success to the application. Otherwise continue processing.
>>
>> Since the access check constitutes a "failure" and "sufficient"
>> effectively ignores failures, you've made the access checks useless. :)
>>
>> You probably want to set it to "required", but there are a couple of
>> options to mask certain failure modes you may need to set so that you get
>> the proper fallback to local logins. Those options are
>>
>> ignore_unknown_user
>> ignore_authinfo_unavail
>>
>> Add thesse to the end of the 'account ..pam_ldap' line.
in fact, this is really working with such options:
---
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so
no_warn try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so
ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
---
iam very amazed, because i thought that with this ldap line its also
necessary that
'account required pam_unix.so' must return 'ok' that the authorization
part is successfull, but the ldap account is there not available.
but thanks anyway it solved my requirements!
regards,
christian
More information about the freebsd-stable
mailing list