5.1 beta2 still in trouble with pam_ldap
Dag-Erling Smorgrav
des at ofug.org
Thu May 22 15:26:24 PDT 2003
Frank Bonnet <bonnetf at bart.esiee.fr> writes:
> if in any file of the pam.d directory I replace
> the original line :
>
> auth required pam_unix.so no_warn try_first_pass nullok
>
> by the following
>
> auth sufficient /usr/local/lib/pam_ldap.so
>
> for example in the /etc/pam.d/su file I can perform the "su -"
> command WITHOUT TYPING ANY PASSWORD from a normal user login.
If pam_ldap is the last line, it should be "required", not
"sufficient"; alternatively it should be followed by pam_deny. This
is (imperfectly) documented in /etc/pam.d/README:
Note that having a "sufficient" module as the last entry for a
particular service and module type may result in surprising behaviour.
To get the intended semantics, add a "required" entry listing the
pam_deny module at the end of the chain.
Solaris introduced the "binding" flag to try to alleviate this
problem. OpenPAM supports "binding", but does not document it
anywhere.
DES
--
Dag-Erling Smorgrav - des at ofug.org
More information about the freebsd-current
mailing list