Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Nov 2004 10:27:22 +0100
From:      jesk <jesk@killall.org>
To:        jesk@killall.org, Doug White <dwhite@gumbysoft.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Pam Authorization Problem
Message-ID:  <2F887177131431751CB6B6CB@jesk.int.de.clara.net>
In-Reply-To: <BB0586A6DD82B937DC1DF167@jesk.int.de.clara.net>
References:  <2627048885E8BF7F8DCDCFD2@jesk.int.de.clara.net> <200411102021.18553.pokui@psg.com> <001001c4c755$2eb4b980$45fea8c0@turbofresse> <20041117184612.J29048@carver.gumbysoft.com> <BB0586A6DD82B937DC1DF167@jesk.int.de.clara.net>
index | next in thread | previous in thread | raw e-mail 

>> Because you have specified that the failure of pam_ldap is not fatal to
>> the account stack. The "sufficient" control means:
>> If this module returns success, then stop stack processing and return
>> success to the application. Otherwise continue processing.
>>
>> Since the access check constitutes a "failure" and "sufficient"
>> effectively ignores failures, you've made the access checks useless. :)
>>
>> You probably want to set it to "required", but there are a couple of
>> options to mask certain failure modes you may need to set so that you get
>> the proper fallback to local logins.  Those options are
>>
>> ignore_unknown_user
>> ignore_authinfo_unavail
>>
>> Add thesse to the end of the 'account ..pam_ldap' line.

in fact, this is really working with such options:
---
# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so 
no_warn try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so 
ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
password        required        pam_unix.so             no_warn 
try_first_pass
---

iam very amazed, because i thought that with this ldap line its also 
necessary that
'account  required pam_unix.so' must return 'ok' that the authorization 
part is successfull, but the ldap account is there not available.
but thanks anyway it solved my requirements!

regards,
christian
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F887177131431751CB6B6CB>