From owner-freebsd-stable@FreeBSD.ORG Thu Nov 18 09:27:25 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C480916A4CE for ; Thu, 18 Nov 2004 09:27:25 +0000 (GMT) Received: from thekla.de.clara.net (thekla.de.clara.net [212.82.225.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BEC743D53 for ; Thu, 18 Nov 2004 09:27:25 +0000 (GMT) (envelope-from jesk@killall.org) Received: from localhost.de.clara.net ([127.0.0.1] helo=localhost) by thekla.de.clara.net with esmtp (Exim 4.30; FreeBSD) id 1CUiZW-0009bi-Ss; Thu, 18 Nov 2004 10:27:22 +0100 Received: from kamikaze-studio.int.de.clara.net ([192.168.0.232]) by thekla.de.clara.net with esmtp (Exim 4.30; FreeBSD) id 1CUiZW-0009be-J1; Thu, 18 Nov 2004 10:27:22 +0100 Date: Thu, 18 Nov 2004 10:27:22 +0100 From: jesk To: jesk@killall.org, Doug White Message-ID: <2F887177131431751CB6B6CB@jesk.int.de.clara.net> In-Reply-To: References: <2627048885E8BF7F8DCDCFD2@jesk.int.de.clara.net> <200411102021.18553.pokui@psg.com> <001001c4c755$2eb4b980$45fea8c0@turbofresse> <20041117184612.J29048@carver.gumbysoft.com> X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline cc: Patrick Okui cc: freebsd-stable@freebsd.org Subject: Re: Pam Authorization Problem X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesk@killall.org List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Nov 2004 09:27:25 -0000 >> Because you have specified that the failure of pam_ldap is not fatal to >> the account stack. The "sufficient" control means: >> If this module returns success, then stop stack processing and return >> success to the application. Otherwise continue processing. >> >> Since the access check constitutes a "failure" and "sufficient" >> effectively ignores failures, you've made the access checks useless. :) >> >> You probably want to set it to "required", but there are a couple of >> options to mask certain failure modes you may need to set so that you get >> the proper fallback to local logins. Those options are >> >> ignore_unknown_user >> ignore_authinfo_unavail >> >> Add thesse to the end of the 'account ..pam_ldap' line. in fact, this is really working with such options: --- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass --- iam very amazed, because i thought that with this ldap line its also necessary that 'account required pam_unix.so' must return 'ok' that the authorization part is successfull, but the ldap account is there not available. but thanks anyway it solved my requirements! regards, christian