Re: 5.1 beta2 still in trouble with pam_ldap

From: Dag-Erling Smorgrav <des_at_ofug.org>
Date: Fri, 23 May 2003 00:26:20 +0200
Frank Bonnet <bonnetf_at_bart.esiee.fr> writes:
> if in any file of the pam.d directory I replace
> the original line :
>
> auth           required        pam_unix.so             no_warn try_first_pass nullok
>
> by the following 
>
> auth            sufficient      /usr/local/lib/pam_ldap.so
>
> for example in the /etc/pam.d/su file I can perform the "su -"
> command WITHOUT TYPING ANY PASSWORD from a normal user login.

If pam_ldap is the last line, it should be "required", not
"sufficient"; alternatively it should be followed by pam_deny.  This
is (imperfectly) documented in /etc/pam.d/README:

 Note that having a "sufficient" module as the last entry for a
 particular service and module type may result in surprising behaviour.
 To get the intended semantics, add a "required" entry listing the
 pam_deny module at the end of the chain.

Solaris introduced the "binding" flag to try to alleviate this
problem.  OpenPAM supports "binding", but does not document it
anywhere.

DES
-- 
Dag-Erling Smorgrav - des_at_ofug.org
Received on Thu May 22 2003 - 13:26:24 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:09 UTC