Date: Fri, 23 May 2003 01:45:44 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Gordon Tetlow <gordont@gnf.org> Cc: Frank Bonnet <bonnetf@bart.esiee.fr> Subject: Re: 5.1 beta2 still in trouble with pam_ldap Message-ID: <xzpof1uy28n.fsf@flood.ping.uio.no> In-Reply-To: <20030522224850.GK87863@roark.gnf.org> (Gordon Tetlow's message of "Thu, 22 May 2003 15:48:50 -0700") References: <20030522184631.A23366@bart.esiee.fr> <xzp65o2zkhf.fsf@flood.ping.uio.no> <20030522224850.GK87863@roark.gnf.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Gordon Tetlow <gordont@gnf.org> writes: > Do you think it might be a good idea to turn all the pam configuration > files to list actual providers at sufficient followed by a pam_deny: No. I'd rather replace "sufficient" with "binding" where appropriate. > > Solaris introduced the "binding" flag to try to alleviate this > > problem. OpenPAM supports "binding", but does not document it > > anywhere. > I'm unfamiliar with this option. What's it do? It behaves like "sufficient" should, i.e. failure is not ignored. I'm working on updating the documentation. DES -- Dag-Erling Smorgrav - des@ofug.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpof1uy28n.fsf>