From owner-freebsd-stable@FreeBSD.ORG Thu Nov 18 12:18:32 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DD2F16A4CE for ; Thu, 18 Nov 2004 12:18:32 +0000 (GMT) Received: from thekla.de.clara.net (thekla.de.clara.net [212.82.225.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FCDC43D1D for ; Thu, 18 Nov 2004 12:18:32 +0000 (GMT) (envelope-from jesk@killall.org) Received: from localhost.de.clara.net ([127.0.0.1] helo=localhost) by thekla.de.clara.net with esmtp (Exim 4.30; FreeBSD) id 1CUlF9-0003iX-5P; Thu, 18 Nov 2004 13:18:31 +0100 Received: from kamikaze-studio.int.de.clara.net ([192.168.0.232]) by thekla.de.clara.net with esmtp (Exim 4.30; FreeBSD) id 1CUlF8-0003hn-Vt; Thu, 18 Nov 2004 13:18:30 +0100 Date: Thu, 18 Nov 2004 13:18:26 +0100 From: jesk To: Doug White Message-ID: <154B409211E0F95AECBC0708@jesk.int.de.clara.net> In-Reply-To: <2F887177131431751CB6B6CB@jesk.int.de.clara.net> References: <2627048885E8BF7F8DCDCFD2@jesk.int.de.clara.net> <200411102021.18553.pokui@psg.com> <001001c4c755$2eb4b980$45fea8c0@turbofresse> <20041117184612.J29048@carver.gumbysoft.com> <2F887177131431751CB6B6CB@jesk.int.de.clara.net> X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline cc: Patrick Okui cc: freebsd-stable@freebsd.org Subject: Re: Pam Authorization Problem X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesk@killall.org List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Nov 2004 12:18:32 -0000 > iam very amazed, because i thought that with this ldap line its also > necessary that > 'account required pam_unix.so' must return 'ok' that the authorization > part is successfull, but the ldap account is there not available. > but thanks anyway it solved my requirements! hi again, i recognized that if the user is found via AUTH in ldap and authenticated there, that its not possible for ACCOUNT to jump from pam_ldap.so to pam_unix.so. i checked this as i used 'su' to switch to root but then i became the message: --- You must be a uniqueMember of cn=klever,ou=hosts,dc=x,dc=x,dc=x to login. su: Sorry --- root does exist in ldap for AUTH but not for ACCOUNT, but root should be used locally via pam_unix.so. /etc/pam.d/system is configured like /etc/pam.d/sshd and so /etc/pam.d/su should be very likely the same as /etc/pam.d/sshd through the include in it. maybe you have an answer to this too :) thanks!