From owner-freebsd-current@FreeBSD.ORG  Fri May 23 07:33:13 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 89E6837B401; Fri, 23 May 2003 07:33:13 -0700 (PDT)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6707843FAF; Fri, 23 May 2003 07:33:12 -0700 (PDT)
	(envelope-from des@ofug.org)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 38E45530E; Fri, 23 May 2003 16:33:09 +0200 (CEST)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Ruslan Ermilov <ru@freebsd.org>
References: <20030522184631.A23366@bart.esiee.fr>
	<xzp65o2zkhf.fsf@flood.ping.uio.no>
	<20030522224850.GK87863@roark.gnf.org>
	<xzpof1uy28n.fsf@flood.ping.uio.no>
	<20030523060846.GC17107@sunbay.com>
	<xzp4r3mxjrx.fsf@flood.ping.uio.no>
	<20030523062848.GG17107@sunbay.com>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: Fri, 23 May 2003 16:33:09 +0200
In-Reply-To: <20030523062848.GG17107@sunbay.com> (Ruslan Ermilov's message
 of "Fri, 23 May 2003 09:28:48 +0300")
Message-ID: <xzpr86pwx5m.fsf@flood.ping.uio.no>
User-Agent: Gnus/5.1001 (Gnus v5.10.1) Emacs/21.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: freebsd-current@freebsd.org
cc: Frank Bonnet <bonnetf@bart.esiee.fr>
Subject: Re: 5.1 beta2 still in trouble with pam_ldap
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2003 14:33:13 -0000

Ruslan Ermilov <ru@freebsd.org> writes:
> In a chain with mutiple "binding" modules, only the _last_
> failure gets ignored?  Meaning, if some other module succeeds,
> override the failure status, right?

Failure of a "binding" module causes the entire chain to fail once it
has completed.  The error returned is that returned by the first
non-"optional", non-"sufficient" module that failed.

Failure of a "sufficient" module, on the other hand, is always ignored
(so if no other non-"optional", non-"sufficient" module failed, the
chain will succeed).  This is what constantly surprises users, and
what "binding" was introduced to alleviate.

See the PAM article for details - particularly the following two
sections:

http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS-POLICIES
http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES

DES
-- 
Dag-Erling Smorgrav - des@ofug.org