5.1 beta2 still in trouble with pam_ldap
Dag-Erling Smorgrav
des at ofug.org
Fri May 23 07:33:13 PDT 2003
Ruslan Ermilov <ru at freebsd.org> writes:
> In a chain with mutiple "binding" modules, only the _last_
> failure gets ignored? Meaning, if some other module succeeds,
> override the failure status, right?
Failure of a "binding" module causes the entire chain to fail once it
has completed. The error returned is that returned by the first
non-"optional", non-"sufficient" module that failed.
Failure of a "sufficient" module, on the other hand, is always ignored
(so if no other non-"optional", non-"sufficient" module failed, the
chain will succeed). This is what constantly surprises users, and
what "binding" was introduced to alleviate.
See the PAM article for details - particularly the following two
sections:
http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS-POLICIES
http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES
DES
--
Dag-Erling Smorgrav - des at ofug.org
More information about the freebsd-current
mailing list