Date: Thu, 18 Nov 2004 10:27:22 +0100 From: jesk <jesk@killall.org> To: jesk@killall.org, Doug White <dwhite@gumbysoft.com> Cc: freebsd-stable@freebsd.org Subject: Re: Pam Authorization Problem Message-ID: <2F887177131431751CB6B6CB@jesk.int.de.clara.net> In-Reply-To: <BB0586A6DD82B937DC1DF167@jesk.int.de.clara.net> References: <2627048885E8BF7F8DCDCFD2@jesk.int.de.clara.net> <200411102021.18553.pokui@psg.com> <001001c4c755$2eb4b980$45fea8c0@turbofresse> <20041117184612.J29048@carver.gumbysoft.com> <BB0586A6DD82B937DC1DF167@jesk.int.de.clara.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>> Because you have specified that the failure of pam_ldap is not fatal to >> the account stack. The "sufficient" control means: >> If this module returns success, then stop stack processing and return >> success to the application. Otherwise continue processing. >> >> Since the access check constitutes a "failure" and "sufficient" >> effectively ignores failures, you've made the access checks useless. :) >> >> You probably want to set it to "required", but there are a couple of >> options to mask certain failure modes you may need to set so that you get >> the proper fallback to local logins. Those options are >> >> ignore_unknown_user >> ignore_authinfo_unavail >> >> Add thesse to the end of the 'account ..pam_ldap' line. in fact, this is really working with such options: --- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass --- iam very amazed, because i thought that with this ldap line its also necessary that 'account required pam_unix.so' must return 'ok' that the authorization part is successfull, but the ldap account is there not available. but thanks anyway it solved my requirements! regards, christian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F887177131431751CB6B6CB>