From owner-freebsd-current@FreeBSD.ORG  Thu May 22 15:26:24 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1500437B401
	for <freebsd-current@freebsd.org>;
	Thu, 22 May 2003 15:26:24 -0700 (PDT)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5CC5943FDD
	for <freebsd-current@freebsd.org>;
	Thu, 22 May 2003 15:26:23 -0700 (PDT)	(envelope-from des@ofug.org)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 38799530E; Fri, 23 May 2003 00:26:21 +0200 (CEST)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Frank Bonnet <bonnetf@bart.esiee.fr>
References: <20030522184631.A23366@bart.esiee.fr>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: Fri, 23 May 2003 00:26:20 +0200
In-Reply-To: <20030522184631.A23366@bart.esiee.fr> (Frank Bonnet's message
 of "Thu, 22 May 2003 18:46:31 +0200")
Message-ID: <xzp65o2zkhf.fsf@flood.ping.uio.no>
User-Agent: Gnus/5.1001 (Gnus v5.10.1) Emacs/21.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: freebsd-current@freebsd.org
Subject: Re: 5.1 beta2 still in trouble with pam_ldap
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2003 22:26:24 -0000

Frank Bonnet <bonnetf@bart.esiee.fr> writes:
> if in any file of the pam.d directory I replace
> the original line :
>
> auth           required        pam_unix.so             no_warn try_first_pass nullok
>
> by the following 
>
> auth            sufficient      /usr/local/lib/pam_ldap.so
>
> for example in the /etc/pam.d/su file I can perform the "su -"
> command WITHOUT TYPING ANY PASSWORD from a normal user login.

If pam_ldap is the last line, it should be "required", not
"sufficient"; alternatively it should be followed by pam_deny.  This
is (imperfectly) documented in /etc/pam.d/README:

 Note that having a "sufficient" module as the last entry for a
 particular service and module type may result in surprising behaviour.
 To get the intended semantics, add a "required" entry listing the
 pam_deny module at the end of the chain.

Solaris introduced the "binding" flag to try to alleviate this
problem.  OpenPAM supports "binding", but does not document it
anywhere.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org