From owner-freebsd-current@FreeBSD.ORG Fri May 23 12:37:50 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B417137B401 for ; Fri, 23 May 2003 12:37:50 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2096D43F75 for ; Fri, 23 May 2003 12:37:47 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h4NJbTEd011897 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 May 2003 22:37:30 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h4NJbOR9011888; Fri, 23 May 2003 22:37:24 +0300 (EEST) (envelope-from ru) Date: Fri, 23 May 2003 22:37:24 +0300 From: Ruslan Ermilov To: Dag-Erling Smorgrav Message-ID: <20030523193724.GA9240@sunbay.com> References: <20030522184631.A23366@bart.esiee.fr> <20030522224850.GK87863@roark.gnf.org> <20030523060846.GC17107@sunbay.com> <20030523062848.GG17107@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: current@FreeBSD.org Subject: Re: 5.1 beta2 still in trouble with pam_ldap X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2003 19:37:51 -0000 --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 23, 2003 at 04:33:09PM +0200, Dag-Erling Smorgrav wrote: > Ruslan Ermilov writes: > > In a chain with mutiple "binding" modules, only the _last_ > > failure gets ignored? Meaning, if some other module succeeds, > > override the failure status, right? >=20 > Failure of a "binding" module causes the entire chain to fail once it > has completed. The error returned is that returned by the first > non-"optional", non-"sufficient" module that failed. >=20 > Failure of a "sufficient" module, on the other hand, is always ignored > (so if no other non-"optional", non-"sufficient" module failed, the > chain will succeed). This is what constantly surprises users, and > what "binding" was introduced to alleviate. >=20 > See the PAM article for details - particularly the following two > sections: >=20 > http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS= -POLICIES > http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES >=20 Thanks, DES! I think I now understand this much better. :-) And I have the following question for you: Why pam_nologin in the "auth" chain of the "login" service is marked "required" and not "requisite", and why do we have the "required" at all? What's the point in continuing with the chain if we are going to return the failure anyway? What's the real application of "required" as compared to "requisite"? Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+znh0Ukv4P6juNwoRAuj5AJ935TMWugv8J6C0eeovQe8Zp71/9gCdGCSD nzgz2fpm1KQtgUMdSODU7pI= =lhUn -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L--