5.1 beta2 still in trouble with pam_ldap
Gordon Tetlow
gordont at gnf.org
Thu May 22 15:48:52 PDT 2003
On Fri, May 23, 2003 at 12:26:20AM +0200, Dag-Erling Smorgrav wrote:
> Frank Bonnet <bonnetf at bart.esiee.fr> writes:
> > if in any file of the pam.d directory I replace
> > the original line :
> >
> > auth required pam_unix.so no_warn try_first_pass nullok
> >
> > by the following
> >
> > auth sufficient /usr/local/lib/pam_ldap.so
> >
> > for example in the /etc/pam.d/su file I can perform the "su -"
> > command WITHOUT TYPING ANY PASSWORD from a normal user login.
>
> If pam_ldap is the last line, it should be "required", not
> "sufficient"; alternatively it should be followed by pam_deny. This
> is (imperfectly) documented in /etc/pam.d/README:
>
> Note that having a "sufficient" module as the last entry for a
> particular service and module type may result in surprising behaviour.
> To get the intended semantics, add a "required" entry listing the
> pam_deny module at the end of the chain.
Do you think it might be a good idea to turn all the pam configuration
files to list actual providers at sufficient followed by a pam_deny:
auth sufficient pam_krb5.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so
auth required pam_deny.so
This makes it very explicit as to what's going on and makes it so the
last entry isn't different merely because it's last.
> Solaris introduced the "binding" flag to try to alleviate this
> problem. OpenPAM supports "binding", but does not document it
> anywhere.
I'm unfamiliar with this option. What's it do?
-gordon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20030522/39f32fc4/attachment.bin
More information about the freebsd-current
mailing list